# Flog Txt Version 1 # Analyzer Version: 3.1.2 # Analyzer Build Date: Oct 28 2019 11:51:53 # Log Creation Date: 05.11.2019 15:39:08.126 Process: id = "1" image_name = "1.exe.quarantine.exe" filename = "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\1.exe.quarantine.exe" page_root = "0x518b6000" os_pid = "0x794" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "analysis_target" parent_id = "0" os_parent_pid = "0x0" cmd_line = "\"C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\1.EXE.QUARANTINE.exe\" " cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 1 os_tid = 0x688 [0023.246] LoadLibraryW (lpLibFileName="advapi32.dll") returned 0x74d40000 [0023.247] LoadLibraryW (lpLibFileName="mpr.dll") returned 0x74b50000 [0023.329] LoadLibraryW (lpLibFileName="shell32.dll") returned 0x75fd0000 [0024.872] GetModuleHandleA (lpModuleName=0x0) returned 0x180000 [0024.872] FindResourceW (hModule=0x180000, lpName=0x7f, lpType=0xa) returned 0x188048 [0024.876] LoadResource (hModule=0x180000, hResInfo=0x188048) returned 0x188058 [0024.876] SizeofResource (hModule=0x180000, hResInfo=0x188048) returned 0x134a [0024.876] GetProcessHeap () returned 0x4e0000 [0024.876] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x134a) returned 0x4fe250 [0024.876] GetUserDefaultLangID () returned 0x409 [0024.877] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x2ff834 | out: TokenHandle=0x2ff834*=0xa4) returned 1 [0024.877] GetTokenInformation (in: TokenHandle=0xa4, TokenInformationClass=0x14, TokenInformation=0x2ff82c, TokenInformationLength=0x4, ReturnLength=0x2ff830 | out: TokenInformation=0x2ff82c, ReturnLength=0x2ff830) returned 1 [0024.877] CloseHandle (hObject=0xa4) returned 1 [0024.877] CryptAcquireContextW (in: phProv=0x2ffd98, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x2ffd98*=0x4ff5e8) returned 1 [0025.029] CryptGenKey (in: hProv=0x4ff5e8, Algid=0xa400, dwFlags=0x4000001, phKey=0x2ff828 | out: phKey=0x2ff828*=0x4ff5a8) returned 1 [0025.243] GetProcessHeap () returned 0x4e0000 [0025.243] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x8) returned 0x5040c0 [0025.243] GetProcessHeap () returned 0x4e0000 [0025.243] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x400) returned 0x5040d0 [0025.243] CryptExportKey (in: hKey=0x4ff5a8, hExpKey=0x0, dwBlobType=0x6, dwFlags=0x0, pbData=0x5040d0, pdwDataLen=0x2ff830 | out: pbData=0x5040d0*, pdwDataLen=0x2ff830*=0x94) returned 1 [0025.243] GetProcessHeap () returned 0x4e0000 [0025.243] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x94) returned 0x5044d8 [0025.243] CryptExportKey (in: hKey=0x4ff5a8, hExpKey=0x0, dwBlobType=0x7, dwFlags=0x0, pbData=0x5040d0, pdwDataLen=0x2ff830 | out: pbData=0x5040d0*, pdwDataLen=0x2ff830*=0x254) returned 1 [0025.243] GetProcessHeap () returned 0x4e0000 [0025.243] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x254) returned 0x504578 [0025.243] GetProcessHeap () returned 0x4e0000 [0025.243] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x5040d0 | out: hHeap=0x4e0000) returned 0 [0025.243] CryptDestroyKey (hKey=0x4ff5a8) returned 1 [0025.243] CryptImportKey (in: hProv=0x4ff5e8, pbData=0x5044d8, dwDataLen=0x94, hPubKey=0x0, dwFlags=0x0, phKey=0x18601c | out: phKey=0x18601c*=0x4ff5a8) returned 1 [0025.243] GetProcessHeap () returned 0x4e0000 [0025.243] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x2800) returned 0x4ffe10 [0025.243] CryptImportKey (in: hProv=0x4ff5e8, pbData=0x4fe250, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x2ffd90 | out: phKey=0x2ffd90*=0x502618) returned 1 [0025.243] CryptEncrypt (in: hKey=0x502618, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2ffc8c*, pdwDataLen=0x2ffd94*=0xf5, dwBufLen=0x100 | out: pbData=0x2ffc8c*, pdwDataLen=0x2ffd94*=0x100) returned 1 [0025.244] CryptEncrypt (in: hKey=0x502618, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2ffc8c*, pdwDataLen=0x2ffd94*=0xf5, dwBufLen=0x100 | out: pbData=0x2ffc8c*, pdwDataLen=0x2ffd94*=0x100) returned 1 [0025.244] CryptEncrypt (in: hKey=0x502618, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2ffc8c*, pdwDataLen=0x2ffd94*=0x6a, dwBufLen=0x100 | out: pbData=0x2ffc8c*, pdwDataLen=0x2ffd94*=0x100) returned 1 [0025.244] CryptDestroyKey (hKey=0x502618) returned 1 [0025.244] GetProcessHeap () returned 0x4e0000 [0025.244] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x5044d8 | out: hHeap=0x4e0000) returned 1 [0025.244] GetProcessHeap () returned 0x4e0000 [0025.244] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x504578 | out: hHeap=0x4e0000) returned 1 [0025.244] GetProcessHeap () returned 0x4e0000 [0025.244] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x5040c0 | out: hHeap=0x4e0000) returned 1 [0025.245] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="SOFTWARE\\Policies\\Microsoft\\Windows Defender", ulOptions=0x0, samDesired=0x2, phkResult=0x2ffd8c | out: phkResult=0x2ffd8c*=0x0) returned 0x2 [0025.245] GetWindowsDirectoryW (in: lpBuffer=0x2ff848, uSize=0x104 | out: lpBuffer="C:\\Windows") returned 0xa [0025.245] lstrcatW (in: lpString1="C:\\Windows", lpString2="\\sysnative\\vssadmin.exe" | out: lpString1="C:\\Windows\\sysnative\\vssadmin.exe") returned="C:\\Windows\\sysnative\\vssadmin.exe" [0025.245] lstrcpyW (in: lpString1=0x2ffa84, lpString2=" delete shadows /all /quiet" | out: lpString1=" delete shadows /all /quiet") returned=" delete shadows /all /quiet" [0025.245] ShellExecuteW (hwnd=0x0, lpOperation="open", lpFile="C:\\Windows\\sysnative\\vssadmin.exe", lpParameters=" delete shadows /all /quiet", lpDirectory=0x0, nShowCmd=0) returned 0x2a [0026.766] SHGetFolderPathW (in: hwnd=0x0, csidl=26, hToken=0x0, dwFlags=0x0, pszPath=0x2ff62c | out: pszPath="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming") returned 0x0 [0026.767] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming", lpString2="\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\" [0026.767] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\", lpString2="taridd" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\taridd") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\taridd" [0026.767] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\taridd" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\taridd"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x6, hTemplateFile=0x0) returned 0xf0 [0026.768] GetLastError () returned 0x0 [0026.768] GetTickCount () returned 0x1141ae1 [0026.768] GetTickCount () returned 0x1141ae1 [0026.768] GetTickCount () returned 0x1141ae1 [0026.768] GetTickCount () returned 0x1141ae1 [0026.768] GetTickCount () returned 0x1141ae1 [0026.768] GetTickCount () returned 0x1141ae1 [0026.768] WriteFile (in: hFile=0xf0, lpBuffer=0x186228*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x2ff834, lpOverlapped=0x0 | out: lpBuffer=0x186228*, lpNumberOfBytesWritten=0x2ff834*=0x6, lpOverlapped=0x0) returned 1 [0026.769] CloseHandle (hObject=0xf0) returned 1 [0026.880] StrCmpNA (lpStr1="%link%", lpStr2="%name%", nChar=6) returned -1 [0026.880] StrCmpNA (lpStr1="%link%", lpStr2="%link%", nChar=6) returned 0 [0026.880] StrCmpNA (lpStr1="%ID%\r\n", lpStr2="%name%", nChar=6) returned -1 [0026.880] StrCmpNA (lpStr1="%ID%\r\n", lpStr2="%link%", nChar=6) returned -1 [0026.880] StrCmpNA (lpStr1="%ID%", lpStr2="%ID%", nChar=4) returned 0 [0026.880] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x2ff5f0, nSize=0x104 | out: lpFilename="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\1.EXE.QUARANTINE.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\1.exe.quarantine.exe")) returned 0x3a [0026.881] lstrcpyW (in: lpString1=0x2ff3e8, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\1.EXE.QUARANTINE.exe" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\1.EXE.QUARANTINE.exe") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\1.EXE.QUARANTINE.exe" [0026.881] PathRemoveFileSpecW (in: pszPath="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\1.EXE.QUARANTINE.exe" | out: pszPath="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 1 [0026.881] SHGetFolderPathW (in: hwnd=0x0, csidl=7, hToken=0x0, dwFlags=0x0, pszPath=0x2ff1e0 | out: pszPath="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup") returned 0x0 [0026.883] lstrcmpW (lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup") returned 1 [0026.883] GetTickCount () returned 0x1141b00 [0026.883] GetTickCount () returned 0x1141b00 [0026.883] GetTickCount () returned 0x1141b00 [0026.883] GetTickCount () returned 0x1141b00 [0026.883] GetTickCount () returned 0x1141b00 [0026.883] GetTickCount () returned 0x1141b00 [0026.883] GetTickCount () returned 0x1141b00 [0026.883] GetTickCount () returned 0x1141b00 [0026.883] GetTickCount () returned 0x1141b00 [0026.883] GetTickCount () returned 0x1141b00 [0026.883] GetTickCount () returned 0x1141b00 [0026.884] GetTickCount () returned 0x1141b00 [0026.884] GetTickCount () returned 0x1141b00 [0026.884] GetTickCount () returned 0x1141b00 [0026.884] GetTickCount () returned 0x1141b00 [0026.884] GetTickCount () returned 0x1141b00 [0026.884] GetTickCount () returned 0x1141b00 [0026.884] GetTickCount () returned 0x1141b00 [0026.884] GetTickCount () returned 0x1141b00 [0026.884] GetTickCount () returned 0x1141b00 [0026.884] GetTickCount () returned 0x1141b00 [0026.884] GetTickCount () returned 0x1141b00 [0026.884] GetTickCount () returned 0x1141b00 [0026.884] GetTickCount () returned 0x1141b00 [0026.884] GetTickCount () returned 0x1141b00 [0026.884] GetTickCount () returned 0x1141b00 [0026.884] GetTickCount () returned 0x1141b00 [0026.884] GetTickCount () returned 0x1141b00 [0026.884] GetTickCount () returned 0x1141b00 [0026.884] GetTickCount () returned 0x1141b00 [0026.884] GetTickCount () returned 0x1141b00 [0026.884] wnsprintfW (in: pszDest=0x186020, cchDest=260, pszFmt="%s\\%s" | out: pszDest="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\3pRMMVYZl7L6YCH05Qf1aBB2Nvhrv3") returned 122 [0026.884] wnsprintfW (in: pszDest=0x2fefd8, cchDest=260, pszFmt="%s.exe" | out: pszDest="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\3pRMMVYZl7L6YCH05Qf1aBB2Nvhrv3.exe") returned 126 [0026.884] CopyFileW (lpExistingFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\1.EXE.QUARANTINE.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\1.exe.quarantine.exe"), lpNewFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\3pRMMVYZl7L6YCH05Qf1aBB2Nvhrv3.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\start menu\\programs\\startup\\3prmmvyzl7l6ych05qf1abb2nvhrv3.exe"), bFailIfExists=0) returned 1 [0026.889] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0xe8 [0026.892] Process32NextW (in: hSnapshot=0xe8, lppe=0x2ff5c4 | out: lppe=0x2ff5c4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0026.892] StrCmpNW (lpStr1="[Syst", lpStr2="mysql", nChar=5) returned -1 [0026.892] StrCmpNW (lpStr1="[Sy", lpStr2="IBM", nChar=3) returned -1 [0026.892] StrCmpNW (lpStr1="[Syst", lpStr2="bes10", nChar=5) returned -1 [0026.892] StrCmpNW (lpStr1="[Syst", lpStr2="black", nChar=5) returned -1 [0026.892] StrCmpNW (lpStr1="[Sy", lpStr2="sql", nChar=3) returned -1 [0026.892] StrCmpNW (lpStr1="[System P", lpStr2="store.exe", nChar=9) returned -1 [0026.892] StrCmpNW (lpStr1="[Sy", lpStr2="vee", nChar=3) returned -1 [0026.892] StrCmpNW (lpStr1="[Syst", lpStr2="postg", nChar=5) returned -1 [0026.892] StrCmpNW (lpStr1="[Sys", lpStr2="sage", nChar=4) returned -1 [0026.892] Process32NextW (in: hSnapshot=0xe8, lppe=0x2ff5c4 | out: lppe=0x2ff5c4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x51, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0026.893] StrCmpNW (lpStr1="Syste", lpStr2="mysql", nChar=5) returned 1 [0026.893] StrCmpNW (lpStr1="Sys", lpStr2="IBM", nChar=3) returned 1 [0026.893] StrCmpNW (lpStr1="Syste", lpStr2="bes10", nChar=5) returned 1 [0026.893] StrCmpNW (lpStr1="Syste", lpStr2="black", nChar=5) returned 1 [0026.893] StrCmpNW (lpStr1="Sys", lpStr2="sql", nChar=3) returned 1 [0026.893] StrCmpNW (lpStr1="System", lpStr2="store.exe", nChar=9) returned 1 [0026.893] StrCmpNW (lpStr1="Sys", lpStr2="vee", nChar=3) returned -1 [0026.893] StrCmpNW (lpStr1="Syste", lpStr2="postg", nChar=5) returned 1 [0026.893] StrCmpNW (lpStr1="Syst", lpStr2="sage", nChar=4) returned 1 [0026.893] Process32NextW (in: hSnapshot=0xe8, lppe=0x2ff5c4 | out: lppe=0x2ff5c4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0026.894] StrCmpNW (lpStr1="smss.", lpStr2="mysql", nChar=5) returned 1 [0026.894] StrCmpNW (lpStr1="sms", lpStr2="IBM", nChar=3) returned 1 [0026.894] StrCmpNW (lpStr1="smss.", lpStr2="bes10", nChar=5) returned 1 [0026.894] StrCmpNW (lpStr1="smss.", lpStr2="black", nChar=5) returned 1 [0026.894] StrCmpNW (lpStr1="sms", lpStr2="sql", nChar=3) returned -1 [0026.894] StrCmpNW (lpStr1="smss.exe", lpStr2="store.exe", nChar=9) returned -1 [0026.894] StrCmpNW (lpStr1="sms", lpStr2="vee", nChar=3) returned -1 [0026.894] StrCmpNW (lpStr1="smss.", lpStr2="postg", nChar=5) returned 1 [0026.894] StrCmpNW (lpStr1="smss", lpStr2="sage", nChar=4) returned 1 [0026.894] Process32NextW (in: hSnapshot=0xe8, lppe=0x2ff5c4 | out: lppe=0x2ff5c4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0026.895] StrCmpNW (lpStr1="csrss", lpStr2="mysql", nChar=5) returned -1 [0026.895] StrCmpNW (lpStr1="csr", lpStr2="IBM", nChar=3) returned -1 [0026.895] StrCmpNW (lpStr1="csrss", lpStr2="bes10", nChar=5) returned 1 [0026.895] StrCmpNW (lpStr1="csrss", lpStr2="black", nChar=5) returned 1 [0026.895] StrCmpNW (lpStr1="csr", lpStr2="sql", nChar=3) returned -1 [0026.895] StrCmpNW (lpStr1="csrss.exe", lpStr2="store.exe", nChar=9) returned -1 [0026.895] StrCmpNW (lpStr1="csr", lpStr2="vee", nChar=3) returned -1 [0026.895] StrCmpNW (lpStr1="csrss", lpStr2="postg", nChar=5) returned -1 [0026.895] StrCmpNW (lpStr1="csrs", lpStr2="sage", nChar=4) returned -1 [0026.895] Process32NextW (in: hSnapshot=0xe8, lppe=0x2ff5c4 | out: lppe=0x2ff5c4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x17c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0026.895] StrCmpNW (lpStr1="winin", lpStr2="mysql", nChar=5) returned 1 [0026.895] StrCmpNW (lpStr1="win", lpStr2="IBM", nChar=3) returned 1 [0026.895] StrCmpNW (lpStr1="winin", lpStr2="bes10", nChar=5) returned 1 [0026.895] StrCmpNW (lpStr1="winin", lpStr2="black", nChar=5) returned 1 [0026.895] StrCmpNW (lpStr1="win", lpStr2="sql", nChar=3) returned 1 [0026.895] StrCmpNW (lpStr1="wininit.e", lpStr2="store.exe", nChar=9) returned 1 [0026.895] StrCmpNW (lpStr1="win", lpStr2="vee", nChar=3) returned 1 [0026.895] StrCmpNW (lpStr1="winin", lpStr2="postg", nChar=5) returned 1 [0026.895] StrCmpNW (lpStr1="wini", lpStr2="sage", nChar=4) returned 1 [0026.895] Process32NextW (in: hSnapshot=0xe8, lppe=0x2ff5c4 | out: lppe=0x2ff5c4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x188, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x174, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0026.896] StrCmpNW (lpStr1="csrss", lpStr2="mysql", nChar=5) returned -1 [0026.896] StrCmpNW (lpStr1="csr", lpStr2="IBM", nChar=3) returned -1 [0026.896] StrCmpNW (lpStr1="csrss", lpStr2="bes10", nChar=5) returned 1 [0026.896] StrCmpNW (lpStr1="csrss", lpStr2="black", nChar=5) returned 1 [0026.896] StrCmpNW (lpStr1="csr", lpStr2="sql", nChar=3) returned -1 [0026.896] StrCmpNW (lpStr1="csrss.exe", lpStr2="store.exe", nChar=9) returned -1 [0026.896] StrCmpNW (lpStr1="csr", lpStr2="vee", nChar=3) returned -1 [0026.896] StrCmpNW (lpStr1="csrss", lpStr2="postg", nChar=5) returned -1 [0026.896] StrCmpNW (lpStr1="csrs", lpStr2="sage", nChar=4) returned -1 [0026.896] Process32NextW (in: hSnapshot=0xe8, lppe=0x2ff5c4 | out: lppe=0x2ff5c4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x174, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0026.897] StrCmpNW (lpStr1="winlo", lpStr2="mysql", nChar=5) returned 1 [0026.897] StrCmpNW (lpStr1="win", lpStr2="IBM", nChar=3) returned 1 [0026.897] StrCmpNW (lpStr1="winlo", lpStr2="bes10", nChar=5) returned 1 [0026.897] StrCmpNW (lpStr1="winlo", lpStr2="black", nChar=5) returned 1 [0026.897] StrCmpNW (lpStr1="win", lpStr2="sql", nChar=3) returned 1 [0026.897] StrCmpNW (lpStr1="winlogon.", lpStr2="store.exe", nChar=9) returned 1 [0026.897] StrCmpNW (lpStr1="win", lpStr2="vee", nChar=3) returned 1 [0026.897] StrCmpNW (lpStr1="winlo", lpStr2="postg", nChar=5) returned 1 [0026.897] StrCmpNW (lpStr1="winl", lpStr2="sage", nChar=4) returned 1 [0026.897] Process32NextW (in: hSnapshot=0xe8, lppe=0x2ff5c4 | out: lppe=0x2ff5c4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x17c, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0026.897] StrCmpNW (lpStr1="servi", lpStr2="mysql", nChar=5) returned 1 [0026.897] StrCmpNW (lpStr1="ser", lpStr2="IBM", nChar=3) returned 1 [0026.897] StrCmpNW (lpStr1="servi", lpStr2="bes10", nChar=5) returned 1 [0026.897] StrCmpNW (lpStr1="servi", lpStr2="black", nChar=5) returned 1 [0026.897] StrCmpNW (lpStr1="ser", lpStr2="sql", nChar=3) returned -1 [0026.897] StrCmpNW (lpStr1="services.", lpStr2="store.exe", nChar=9) returned -1 [0026.897] StrCmpNW (lpStr1="ser", lpStr2="vee", nChar=3) returned -1 [0026.897] StrCmpNW (lpStr1="servi", lpStr2="postg", nChar=5) returned 1 [0026.897] StrCmpNW (lpStr1="serv", lpStr2="sage", nChar=4) returned 1 [0026.897] Process32NextW (in: hSnapshot=0xe8, lppe=0x2ff5c4 | out: lppe=0x2ff5c4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x17c, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0026.898] StrCmpNW (lpStr1="lsass", lpStr2="mysql", nChar=5) returned -1 [0026.898] StrCmpNW (lpStr1="lsa", lpStr2="IBM", nChar=3) returned 1 [0026.898] StrCmpNW (lpStr1="lsass", lpStr2="bes10", nChar=5) returned 1 [0026.898] StrCmpNW (lpStr1="lsass", lpStr2="black", nChar=5) returned 1 [0026.898] StrCmpNW (lpStr1="lsa", lpStr2="sql", nChar=3) returned -1 [0026.898] StrCmpNW (lpStr1="lsass.exe", lpStr2="store.exe", nChar=9) returned -1 [0026.898] StrCmpNW (lpStr1="lsa", lpStr2="vee", nChar=3) returned -1 [0026.898] StrCmpNW (lpStr1="lsass", lpStr2="postg", nChar=5) returned -1 [0026.898] StrCmpNW (lpStr1="lsas", lpStr2="sage", nChar=4) returned -1 [0026.898] Process32NextW (in: hSnapshot=0xe8, lppe=0x2ff5c4 | out: lppe=0x2ff5c4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x17c, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0026.898] StrCmpNW (lpStr1="lsm.e", lpStr2="mysql", nChar=5) returned -1 [0026.898] StrCmpNW (lpStr1="lsm", lpStr2="IBM", nChar=3) returned 1 [0026.898] StrCmpNW (lpStr1="lsm.e", lpStr2="bes10", nChar=5) returned 1 [0026.898] StrCmpNW (lpStr1="lsm.e", lpStr2="black", nChar=5) returned 1 [0026.899] StrCmpNW (lpStr1="lsm", lpStr2="sql", nChar=3) returned -1 [0026.899] StrCmpNW (lpStr1="lsm.exe", lpStr2="store.exe", nChar=9) returned -1 [0026.899] StrCmpNW (lpStr1="lsm", lpStr2="vee", nChar=3) returned -1 [0026.899] StrCmpNW (lpStr1="lsm.e", lpStr2="postg", nChar=5) returned -1 [0026.899] StrCmpNW (lpStr1="lsm.", lpStr2="sage", nChar=4) returned -1 [0026.899] Process32NextW (in: hSnapshot=0xe8, lppe=0x2ff5c4 | out: lppe=0x2ff5c4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0026.899] StrCmpNW (lpStr1="svcho", lpStr2="mysql", nChar=5) returned 1 [0026.899] StrCmpNW (lpStr1="svc", lpStr2="IBM", nChar=3) returned 1 [0026.899] StrCmpNW (lpStr1="svcho", lpStr2="bes10", nChar=5) returned 1 [0026.899] StrCmpNW (lpStr1="svcho", lpStr2="black", nChar=5) returned 1 [0026.899] StrCmpNW (lpStr1="svc", lpStr2="sql", nChar=3) returned 1 [0026.899] StrCmpNW (lpStr1="svchost.e", lpStr2="store.exe", nChar=9) returned 1 [0026.899] StrCmpNW (lpStr1="svc", lpStr2="vee", nChar=3) returned -1 [0026.899] StrCmpNW (lpStr1="svcho", lpStr2="postg", nChar=5) returned 1 [0026.899] StrCmpNW (lpStr1="svch", lpStr2="sage", nChar=4) returned 1 [0026.899] Process32NextW (in: hSnapshot=0xe8, lppe=0x2ff5c4 | out: lppe=0x2ff5c4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x298, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0026.900] StrCmpNW (lpStr1="svcho", lpStr2="mysql", nChar=5) returned 1 [0026.900] StrCmpNW (lpStr1="svc", lpStr2="IBM", nChar=3) returned 1 [0026.900] StrCmpNW (lpStr1="svcho", lpStr2="bes10", nChar=5) returned 1 [0026.900] StrCmpNW (lpStr1="svcho", lpStr2="black", nChar=5) returned 1 [0026.900] StrCmpNW (lpStr1="svc", lpStr2="sql", nChar=3) returned 1 [0026.900] StrCmpNW (lpStr1="svchost.e", lpStr2="store.exe", nChar=9) returned 1 [0026.900] StrCmpNW (lpStr1="svc", lpStr2="vee", nChar=3) returned -1 [0026.900] StrCmpNW (lpStr1="svcho", lpStr2="postg", nChar=5) returned 1 [0026.900] StrCmpNW (lpStr1="svch", lpStr2="sage", nChar=4) returned 1 [0026.900] Process32NextW (in: hSnapshot=0xe8, lppe=0x2ff5c4 | out: lppe=0x2ff5c4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0026.900] StrCmpNW (lpStr1="svcho", lpStr2="mysql", nChar=5) returned 1 [0026.900] StrCmpNW (lpStr1="svc", lpStr2="IBM", nChar=3) returned 1 [0026.900] StrCmpNW (lpStr1="svcho", lpStr2="bes10", nChar=5) returned 1 [0026.900] StrCmpNW (lpStr1="svcho", lpStr2="black", nChar=5) returned 1 [0026.900] StrCmpNW (lpStr1="svc", lpStr2="sql", nChar=3) returned 1 [0026.900] StrCmpNW (lpStr1="svchost.e", lpStr2="store.exe", nChar=9) returned 1 [0026.901] StrCmpNW (lpStr1="svc", lpStr2="vee", nChar=3) returned -1 [0026.901] StrCmpNW (lpStr1="svcho", lpStr2="postg", nChar=5) returned 1 [0026.901] StrCmpNW (lpStr1="svch", lpStr2="sage", nChar=4) returned 1 [0026.901] Process32NextW (in: hSnapshot=0xe8, lppe=0x2ff5c4 | out: lppe=0x2ff5c4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x334, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0026.901] StrCmpNW (lpStr1="svcho", lpStr2="mysql", nChar=5) returned 1 [0026.901] StrCmpNW (lpStr1="svc", lpStr2="IBM", nChar=3) returned 1 [0026.901] StrCmpNW (lpStr1="svcho", lpStr2="bes10", nChar=5) returned 1 [0026.901] StrCmpNW (lpStr1="svcho", lpStr2="black", nChar=5) returned 1 [0026.901] StrCmpNW (lpStr1="svc", lpStr2="sql", nChar=3) returned 1 [0026.901] StrCmpNW (lpStr1="svchost.e", lpStr2="store.exe", nChar=9) returned 1 [0026.901] StrCmpNW (lpStr1="svc", lpStr2="vee", nChar=3) returned -1 [0026.901] StrCmpNW (lpStr1="svcho", lpStr2="postg", nChar=5) returned 1 [0026.901] StrCmpNW (lpStr1="svch", lpStr2="sage", nChar=4) returned 1 [0026.901] Process32NextW (in: hSnapshot=0xe8, lppe=0x2ff5c4 | out: lppe=0x2ff5c4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x36c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x28, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0026.902] StrCmpNW (lpStr1="svcho", lpStr2="mysql", nChar=5) returned 1 [0026.902] StrCmpNW (lpStr1="svc", lpStr2="IBM", nChar=3) returned 1 [0026.902] StrCmpNW (lpStr1="svcho", lpStr2="bes10", nChar=5) returned 1 [0026.902] StrCmpNW (lpStr1="svcho", lpStr2="black", nChar=5) returned 1 [0026.902] StrCmpNW (lpStr1="svc", lpStr2="sql", nChar=3) returned 1 [0026.902] StrCmpNW (lpStr1="svchost.e", lpStr2="store.exe", nChar=9) returned 1 [0026.902] StrCmpNW (lpStr1="svc", lpStr2="vee", nChar=3) returned -1 [0026.902] StrCmpNW (lpStr1="svcho", lpStr2="postg", nChar=5) returned 1 [0026.902] StrCmpNW (lpStr1="svch", lpStr2="sage", nChar=4) returned 1 [0026.902] Process32NextW (in: hSnapshot=0xe8, lppe=0x2ff5c4 | out: lppe=0x2ff5c4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x2cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0026.902] StrCmpNW (lpStr1="audio", lpStr2="mysql", nChar=5) returned -1 [0026.902] StrCmpNW (lpStr1="aud", lpStr2="IBM", nChar=3) returned -1 [0026.902] StrCmpNW (lpStr1="audio", lpStr2="bes10", nChar=5) returned -1 [0026.902] StrCmpNW (lpStr1="audio", lpStr2="black", nChar=5) returned -1 [0026.902] StrCmpNW (lpStr1="aud", lpStr2="sql", nChar=3) returned -1 [0026.902] StrCmpNW (lpStr1="audiodg.e", lpStr2="store.exe", nChar=9) returned -1 [0026.902] StrCmpNW (lpStr1="aud", lpStr2="vee", nChar=3) returned -1 [0026.902] StrCmpNW (lpStr1="audio", lpStr2="postg", nChar=5) returned -1 [0026.903] StrCmpNW (lpStr1="audi", lpStr2="sage", nChar=4) returned -1 [0026.903] Process32NextW (in: hSnapshot=0xe8, lppe=0x2ff5c4 | out: lppe=0x2ff5c4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0026.903] StrCmpNW (lpStr1="svcho", lpStr2="mysql", nChar=5) returned 1 [0026.903] StrCmpNW (lpStr1="svc", lpStr2="IBM", nChar=3) returned 1 [0026.903] StrCmpNW (lpStr1="svcho", lpStr2="bes10", nChar=5) returned 1 [0026.903] StrCmpNW (lpStr1="svcho", lpStr2="black", nChar=5) returned 1 [0026.903] StrCmpNW (lpStr1="svc", lpStr2="sql", nChar=3) returned 1 [0026.903] StrCmpNW (lpStr1="svchost.e", lpStr2="store.exe", nChar=9) returned 1 [0026.903] StrCmpNW (lpStr1="svc", lpStr2="vee", nChar=3) returned -1 [0026.903] StrCmpNW (lpStr1="svcho", lpStr2="postg", nChar=5) returned 1 [0026.903] StrCmpNW (lpStr1="svch", lpStr2="sage", nChar=4) returned 1 [0026.903] Process32NextW (in: hSnapshot=0xe8, lppe=0x2ff5c4 | out: lppe=0x2ff5c4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x124, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0026.904] StrCmpNW (lpStr1="svcho", lpStr2="mysql", nChar=5) returned 1 [0026.904] StrCmpNW (lpStr1="svc", lpStr2="IBM", nChar=3) returned 1 [0026.904] StrCmpNW (lpStr1="svcho", lpStr2="bes10", nChar=5) returned 1 [0026.904] StrCmpNW (lpStr1="svcho", lpStr2="black", nChar=5) returned 1 [0026.904] StrCmpNW (lpStr1="svc", lpStr2="sql", nChar=3) returned 1 [0026.904] StrCmpNW (lpStr1="svchost.e", lpStr2="store.exe", nChar=9) returned 1 [0026.904] StrCmpNW (lpStr1="svc", lpStr2="vee", nChar=3) returned -1 [0026.904] StrCmpNW (lpStr1="svcho", lpStr2="postg", nChar=5) returned 1 [0026.904] StrCmpNW (lpStr1="svch", lpStr2="sage", nChar=4) returned 1 [0026.904] Process32NextW (in: hSnapshot=0xe8, lppe=0x2ff5c4 | out: lppe=0x2ff5c4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x448, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x334, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0026.904] StrCmpNW (lpStr1="dwm.e", lpStr2="mysql", nChar=5) returned -1 [0026.904] StrCmpNW (lpStr1="dwm", lpStr2="IBM", nChar=3) returned -1 [0026.904] StrCmpNW (lpStr1="dwm.e", lpStr2="bes10", nChar=5) returned 1 [0026.904] StrCmpNW (lpStr1="dwm.e", lpStr2="black", nChar=5) returned 1 [0026.904] StrCmpNW (lpStr1="dwm", lpStr2="sql", nChar=3) returned -1 [0026.904] StrCmpNW (lpStr1="dwm.exe", lpStr2="store.exe", nChar=9) returned -1 [0026.904] StrCmpNW (lpStr1="dwm", lpStr2="vee", nChar=3) returned -1 [0026.904] StrCmpNW (lpStr1="dwm.e", lpStr2="postg", nChar=5) returned -1 [0026.904] StrCmpNW (lpStr1="dwm.", lpStr2="sage", nChar=4) returned -1 [0026.905] Process32NextW (in: hSnapshot=0xe8, lppe=0x2ff5c4 | out: lppe=0x2ff5c4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x45c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x20, th32ParentProcessID=0x440, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0026.905] StrCmpNW (lpStr1="explo", lpStr2="mysql", nChar=5) returned -1 [0026.905] StrCmpNW (lpStr1="exp", lpStr2="IBM", nChar=3) returned -1 [0026.905] StrCmpNW (lpStr1="explo", lpStr2="bes10", nChar=5) returned 1 [0026.905] StrCmpNW (lpStr1="explo", lpStr2="black", nChar=5) returned 1 [0026.905] StrCmpNW (lpStr1="exp", lpStr2="sql", nChar=3) returned -1 [0026.905] StrCmpNW (lpStr1="explorer.", lpStr2="store.exe", nChar=9) returned -1 [0026.905] StrCmpNW (lpStr1="exp", lpStr2="vee", nChar=3) returned -1 [0026.905] StrCmpNW (lpStr1="explo", lpStr2="postg", nChar=5) returned -1 [0026.905] StrCmpNW (lpStr1="expl", lpStr2="sage", nChar=4) returned -1 [0026.905] Process32NextW (in: hSnapshot=0xe8, lppe=0x2ff5c4 | out: lppe=0x2ff5c4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x480, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0026.906] StrCmpNW (lpStr1="spool", lpStr2="mysql", nChar=5) returned 1 [0026.906] StrCmpNW (lpStr1="spo", lpStr2="IBM", nChar=3) returned 1 [0026.906] StrCmpNW (lpStr1="spool", lpStr2="bes10", nChar=5) returned 1 [0026.906] StrCmpNW (lpStr1="spool", lpStr2="black", nChar=5) returned 1 [0026.906] StrCmpNW (lpStr1="spo", lpStr2="sql", nChar=3) returned -1 [0026.906] StrCmpNW (lpStr1="spoolsv.e", lpStr2="store.exe", nChar=9) returned -1 [0026.906] StrCmpNW (lpStr1="spo", lpStr2="vee", nChar=3) returned -1 [0026.906] StrCmpNW (lpStr1="spool", lpStr2="postg", nChar=5) returned 1 [0026.906] StrCmpNW (lpStr1="spoo", lpStr2="sage", nChar=4) returned 1 [0026.906] Process32NextW (in: hSnapshot=0xe8, lppe=0x2ff5c4 | out: lppe=0x2ff5c4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0026.906] StrCmpNW (lpStr1="taskh", lpStr2="mysql", nChar=5) returned 1 [0026.906] StrCmpNW (lpStr1="tas", lpStr2="IBM", nChar=3) returned 1 [0026.906] StrCmpNW (lpStr1="taskh", lpStr2="bes10", nChar=5) returned 1 [0026.906] StrCmpNW (lpStr1="taskh", lpStr2="black", nChar=5) returned 1 [0026.906] StrCmpNW (lpStr1="tas", lpStr2="sql", nChar=3) returned 1 [0026.906] StrCmpNW (lpStr1="taskhost.", lpStr2="store.exe", nChar=9) returned 1 [0026.906] StrCmpNW (lpStr1="tas", lpStr2="vee", nChar=3) returned -1 [0026.906] StrCmpNW (lpStr1="taskh", lpStr2="postg", nChar=5) returned 1 [0026.906] StrCmpNW (lpStr1="task", lpStr2="sage", nChar=4) returned 1 [0026.906] Process32NextW (in: hSnapshot=0xe8, lppe=0x2ff5c4 | out: lppe=0x2ff5c4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x15, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0026.907] StrCmpNW (lpStr1="svcho", lpStr2="mysql", nChar=5) returned 1 [0026.907] StrCmpNW (lpStr1="svc", lpStr2="IBM", nChar=3) returned 1 [0026.907] StrCmpNW (lpStr1="svcho", lpStr2="bes10", nChar=5) returned 1 [0026.907] StrCmpNW (lpStr1="svcho", lpStr2="black", nChar=5) returned 1 [0026.907] StrCmpNW (lpStr1="svc", lpStr2="sql", nChar=3) returned 1 [0026.907] StrCmpNW (lpStr1="svchost.e", lpStr2="store.exe", nChar=9) returned 1 [0026.907] StrCmpNW (lpStr1="svc", lpStr2="vee", nChar=3) returned -1 [0026.907] StrCmpNW (lpStr1="svcho", lpStr2="postg", nChar=5) returned 1 [0026.907] StrCmpNW (lpStr1="svch", lpStr2="sage", nChar=4) returned 1 [0026.907] Process32NextW (in: hSnapshot=0xe8, lppe=0x2ff5c4 | out: lppe=0x2ff5c4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x50c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x36c, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0026.908] StrCmpNW (lpStr1="taske", lpStr2="mysql", nChar=5) returned 1 [0026.908] StrCmpNW (lpStr1="tas", lpStr2="IBM", nChar=3) returned 1 [0026.908] StrCmpNW (lpStr1="taske", lpStr2="bes10", nChar=5) returned 1 [0026.908] StrCmpNW (lpStr1="taske", lpStr2="black", nChar=5) returned 1 [0026.908] StrCmpNW (lpStr1="tas", lpStr2="sql", nChar=3) returned 1 [0026.908] StrCmpNW (lpStr1="taskeng.e", lpStr2="store.exe", nChar=9) returned 1 [0026.908] StrCmpNW (lpStr1="tas", lpStr2="vee", nChar=3) returned -1 [0026.908] StrCmpNW (lpStr1="taske", lpStr2="postg", nChar=5) returned 1 [0026.908] StrCmpNW (lpStr1="task", lpStr2="sage", nChar=4) returned 1 [0026.908] Process32NextW (in: hSnapshot=0xe8, lppe=0x2ff5c4 | out: lppe=0x2ff5c4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1cc, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0026.908] StrCmpNW (lpStr1="taskh", lpStr2="mysql", nChar=5) returned 1 [0026.908] StrCmpNW (lpStr1="tas", lpStr2="IBM", nChar=3) returned 1 [0026.908] StrCmpNW (lpStr1="taskh", lpStr2="bes10", nChar=5) returned 1 [0026.908] StrCmpNW (lpStr1="taskh", lpStr2="black", nChar=5) returned 1 [0026.908] StrCmpNW (lpStr1="tas", lpStr2="sql", nChar=3) returned 1 [0026.908] StrCmpNW (lpStr1="taskhost.", lpStr2="store.exe", nChar=9) returned 1 [0026.908] StrCmpNW (lpStr1="tas", lpStr2="vee", nChar=3) returned -1 [0026.908] StrCmpNW (lpStr1="taskh", lpStr2="postg", nChar=5) returned 1 [0026.908] StrCmpNW (lpStr1="task", lpStr2="sage", nChar=4) returned 1 [0026.908] Process32NextW (in: hSnapshot=0xe8, lppe=0x2ff5c4 | out: lppe=0x2ff5c4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x78c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="drama_caused.exe")) returned 1 [0026.909] StrCmpNW (lpStr1="drama", lpStr2="mysql", nChar=5) returned -1 [0026.909] StrCmpNW (lpStr1="dra", lpStr2="IBM", nChar=3) returned -1 [0026.909] StrCmpNW (lpStr1="drama", lpStr2="bes10", nChar=5) returned 1 [0026.909] StrCmpNW (lpStr1="drama", lpStr2="black", nChar=5) returned 1 [0026.909] StrCmpNW (lpStr1="dra", lpStr2="sql", nChar=3) returned -1 [0026.909] StrCmpNW (lpStr1="drama_cau", lpStr2="store.exe", nChar=9) returned -1 [0026.909] StrCmpNW (lpStr1="dra", lpStr2="vee", nChar=3) returned -1 [0026.909] StrCmpNW (lpStr1="drama", lpStr2="postg", nChar=5) returned -1 [0026.909] StrCmpNW (lpStr1="dram", lpStr2="sage", nChar=4) returned -1 [0026.909] Process32NextW (in: hSnapshot=0xe8, lppe=0x2ff5c4 | out: lppe=0x2ff5c4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="phantom reduces convicted.exe")) returned 1 [0026.909] StrCmpNW (lpStr1="phant", lpStr2="mysql", nChar=5) returned 1 [0026.910] StrCmpNW (lpStr1="pha", lpStr2="IBM", nChar=3) returned 1 [0026.910] StrCmpNW (lpStr1="phant", lpStr2="bes10", nChar=5) returned 1 [0026.910] StrCmpNW (lpStr1="phant", lpStr2="black", nChar=5) returned 1 [0026.910] StrCmpNW (lpStr1="pha", lpStr2="sql", nChar=3) returned -1 [0026.910] StrCmpNW (lpStr1="phantom r", lpStr2="store.exe", nChar=9) returned -1 [0026.910] StrCmpNW (lpStr1="pha", lpStr2="vee", nChar=3) returned -1 [0026.910] StrCmpNW (lpStr1="phant", lpStr2="postg", nChar=5) returned -1 [0026.910] StrCmpNW (lpStr1="phan", lpStr2="sage", nChar=4) returned -1 [0026.910] Process32NextW (in: hSnapshot=0xe8, lppe=0x2ff5c4 | out: lppe=0x2ff5c4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="dictionariesfeeding.exe")) returned 1 [0026.911] StrCmpNW (lpStr1="dicti", lpStr2="mysql", nChar=5) returned -1 [0026.911] StrCmpNW (lpStr1="dic", lpStr2="IBM", nChar=3) returned -1 [0026.911] StrCmpNW (lpStr1="dicti", lpStr2="bes10", nChar=5) returned 1 [0026.911] StrCmpNW (lpStr1="dicti", lpStr2="black", nChar=5) returned 1 [0026.911] StrCmpNW (lpStr1="dic", lpStr2="sql", nChar=3) returned -1 [0026.911] StrCmpNW (lpStr1="dictionar", lpStr2="store.exe", nChar=9) returned -1 [0026.911] Process32NextW (in: hSnapshot=0xe8, lppe=0x2ff5c4 | out: lppe=0x2ff5c4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x184, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="wilson.exe")) returned 1 [0026.911] Process32NextW (in: hSnapshot=0xe8, lppe=0x2ff5c4 | out: lppe=0x2ff5c4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x618, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="cause tim attempting.exe")) returned 1 [0026.912] Process32NextW (in: hSnapshot=0xe8, lppe=0x2ff5c4 | out: lppe=0x2ff5c4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x344, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="moderator.exe")) returned 1 [0026.912] Process32NextW (in: hSnapshot=0xe8, lppe=0x2ff5c4 | out: lppe=0x2ff5c4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="smtp_machinery_refresh.exe")) returned 1 [0026.913] Process32NextW (in: hSnapshot=0xe8, lppe=0x2ff5c4 | out: lppe=0x2ff5c4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x204, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="saves.exe")) returned 1 [0026.913] Process32NextW (in: hSnapshot=0xe8, lppe=0x2ff5c4 | out: lppe=0x2ff5c4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x724, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="destroy_breathing_directed.exe")) returned 1 [0026.913] Process32NextW (in: hSnapshot=0xe8, lppe=0x2ff5c4 | out: lppe=0x2ff5c4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="eq-almost.exe")) returned 1 [0026.914] Process32NextW (in: hSnapshot=0xe8, lppe=0x2ff5c4 | out: lppe=0x2ff5c4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x438, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="startupcompounddept.exe")) returned 1 [0026.914] Process32NextW (in: hSnapshot=0xe8, lppe=0x2ff5c4 | out: lppe=0x2ff5c4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7f0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="downtowncambodia.exe")) returned 1 [0026.915] Process32NextW (in: hSnapshot=0xe8, lppe=0x2ff5c4 | out: lppe=0x2ff5c4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="sperm.exe")) returned 1 [0026.915] Process32NextW (in: hSnapshot=0xe8, lppe=0x2ff5c4 | out: lppe=0x2ff5c4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7a0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="shakespeare imagination ecological.exe")) returned 1 [0026.915] Process32NextW (in: hSnapshot=0xe8, lppe=0x2ff5c4 | out: lppe=0x2ff5c4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x590, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="vol honors pasta.exe")) returned 1 [0026.916] Process32NextW (in: hSnapshot=0xe8, lppe=0x2ff5c4 | out: lppe=0x2ff5c4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="austriagrahamboats.exe")) returned 1 [0026.916] Process32NextW (in: hSnapshot=0xe8, lppe=0x2ff5c4 | out: lppe=0x2ff5c4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x55c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="cindy-pilot-periodically.exe")) returned 1 [0026.917] Process32NextW (in: hSnapshot=0xe8, lppe=0x2ff5c4 | out: lppe=0x2ff5c4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x254, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0026.917] Process32NextW (in: hSnapshot=0xe8, lppe=0x2ff5c4 | out: lppe=0x2ff5c4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x694, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x254, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 1 [0026.918] Process32NextW (in: hSnapshot=0xe8, lppe=0x2ff5c4 | out: lppe=0x2ff5c4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x40c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x254, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 1 [0026.918] Process32NextW (in: hSnapshot=0xe8, lppe=0x2ff5c4 | out: lppe=0x2ff5c4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x794, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="1.EXE.QUARANTINE.exe")) returned 1 [0026.918] Process32NextW (in: hSnapshot=0xe8, lppe=0x2ff5c4 | out: lppe=0x2ff5c4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x314, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x794, pcPriClassBase=8, dwFlags=0x0, szExeFile="vssadmin.exe")) returned 1 [0026.919] Process32NextW (in: hSnapshot=0xe8, lppe=0x2ff5c4 | out: lppe=0x2ff5c4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x314, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x794, pcPriClassBase=8, dwFlags=0x0, szExeFile="vssadmin.exe")) returned 0 [0026.919] CloseHandle (hObject=0xe8) returned 1 [0026.919] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x1) returned 0x5380f8 [0027.525] EnumServicesStatusExW (in: hSCManager=0x5380f8, InfoLevel=0x0, dwServiceType=0x3b, dwServiceState=0x1, lpServices=0x0, cbBufSize=0x0, pcbBytesNeeded=0x2ff820, lpServicesReturned=0x2ff824, lpResumeHandle=0x2ff80c, pszGroupName=0x0 | out: lpServices=0x0, pcbBytesNeeded=0x2ff820, lpServicesReturned=0x2ff824, lpResumeHandle=0x2ff80c) returned 0 [0027.526] GetLastError () returned 0x5 [0027.526] CloseServiceHandle (hSCObject=0x5380f8) returned 1 [0027.526] SHGetFolderPathW (in: hwnd=0x0, csidl=0, hToken=0x0, dwFlags=0x0, pszPath=0x186238 | out: pszPath="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x0 [0027.526] GetLogicalDrives () returned 0x4 [0027.526] wnsprintfW (in: pszDest=0x2ff7ec, cchDest=25, pszFmt="%c:\\" | out: pszDest="C:\\") returned 3 [0027.526] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0027.526] GetProcessHeap () returned 0x4e0000 [0027.526] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x208) returned 0x50b470 [0027.527] wnsprintfW (in: pszDest=0x50b470, cchDest=260, pszFmt="\\\\?\\%c:" | out: pszDest="\\\\?\\C:") returned 6 [0027.527] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x182470, lpParameter=0x50b470, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0xf0 [0027.527] WaitForMultipleObjects (nCount=0x1, lpHandles=0x2ff820*=0xf0, bWaitAll=1, dwMilliseconds=0xffffffff) Thread: id = 2 os_tid = 0x5b4 Thread: id = 3 os_tid = 0x1e8 Thread: id = 4 os_tid = 0x508 Thread: id = 6 os_tid = 0x594 [0027.533] GetProcessHeap () returned 0x4e0000 [0027.534] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x400) returned 0x53f5e0 [0027.534] wnsprintfW (in: pszDest=0x53f5e0, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\*") returned 8 [0027.534] FindFirstFileW (in: lpFileName="\\\\?\\C:\\*", lpFindFileData=0x2d8f808 | out: lpFindFileData=0x2d8f808*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xd29f5adc, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x2dfdd420, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2dfdd420, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="$Recycle.Bin", cAlternateFileName="")) returned 0x535960 [0027.534] lstrcmpiW (lpString1="$Recycle.Bin", lpString2="Windows") returned -1 [0027.534] lstrcmpiW (lpString1="$Recycle.Bin", lpString2="$Recycle.bin") returned 0 [0027.534] FindNextFileW (in: hFindFile=0x535960, lpFindFileData=0x2d8f808 | out: lpFindFileData=0x2d8f808*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xac015040, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac30ebc0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac30ebc0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Boot", cAlternateFileName="")) returned 1 [0027.534] lstrcmpiW (lpString1="Boot", lpString2="Windows") returned -1 [0027.534] lstrcmpiW (lpString1="Boot", lpString2="$Recycle.bin") returned 1 [0027.534] lstrcmpiW (lpString1="Boot", lpString2="System Volume Information") returned -1 [0027.534] lstrcmpiW (lpString1="Boot", lpString2="Program Files") returned -1 [0027.534] lstrcmpiW (lpString1="Boot", lpString2="Program Files (x86)") returned -1 [0027.534] wnsprintfW (in: pszDest=0x53f5e0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot") returned 11 [0027.534] lstrcmpW (lpString1="Boot", lpString2=".") returned 1 [0027.534] lstrcmpW (lpString1="Boot", lpString2="..") returned 1 [0027.534] lstrcmpW (lpString1="\\\\?\\C:\\Boot", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0027.534] GetProcessHeap () returned 0x4e0000 [0027.534] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x400) returned 0x542af8 [0027.534] wnsprintfW (in: pszDest=0x542af8, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Boot\\*") returned 13 [0027.534] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Boot\\*", lpFindFileData=0x2d8f580 | out: lpFindFileData=0x2d8f580*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xac015040, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac30ebc0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac30ebc0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x650052, dwReserved1=0x790063, cFileName=".", cAlternateFileName="")) returned 0x535aa0 [0027.534] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0027.535] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0027.535] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0027.535] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0027.535] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0027.535] wnsprintfW (in: pszDest=0x542af8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\.") returned 13 [0027.535] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0027.535] StrStrIW (lpFirst=".", lpSrch=".for") returned 0x0 [0027.535] lstrcmpW (lpString1=".", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned -1 [0027.535] lstrcmpW (lpString1=".", lpString2="taridd") returned -1 [0027.535] StrCmpNW (lpStr1="\\\\?\\C:\\Boot\\.", lpStr2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\3pRMMVYZl7L6YCH05Qf1aBB2Nvhrv3", nChar=122) returned -1 [0027.535] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\." (normalized: "c:\\boot\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0027.535] FindNextFileW (in: hFindFile=0x535aa0, lpFindFileData=0x2d8f580 | out: lpFindFileData=0x2d8f580*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xac015040, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac30ebc0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac30ebc0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x650052, dwReserved1=0x790063, cFileName="..", cAlternateFileName="")) returned 1 [0027.535] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0027.535] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0027.535] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0027.535] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0027.535] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0027.535] wnsprintfW (in: pszDest=0x542af8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\..") returned 14 [0027.535] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0027.535] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0027.535] StrStrIW (lpFirst="..", lpSrch=".for") returned 0x0 [0027.535] lstrcmpW (lpString1="..", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned -1 [0027.535] lstrcmpW (lpString1="..", lpString2="taridd") returned -1 [0027.536] StrCmpNW (lpStr1="\\\\?\\C:\\Boot\\..", lpStr2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\3pRMMVYZl7L6YCH05Qf1aBB2Nvhrv3", nChar=122) returned -1 [0027.536] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\.." (normalized: "c:"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0027.536] FindNextFileW (in: hFindFile=0x535aa0, lpFindFileData=0x2d8f580 | out: lpFindFileData=0x2d8f580*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac2e8a60, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0x2ebf9340, ftLastAccessTime.dwHighDateTime=0x1d4d597, ftLastWriteTime.dwLowDateTime=0x2ebf9340, ftLastWriteTime.dwHighDateTime=0x1d4d597, nFileSizeHigh=0x0, nFileSizeLow=0x6000, dwReserved0=0x650052, dwReserved1=0x790063, cFileName="BCD", cAlternateFileName="")) returned 1 [0027.536] lstrcmpiW (lpString1="BCD", lpString2="Windows") returned -1 [0027.536] lstrcmpiW (lpString1="BCD", lpString2="$Recycle.bin") returned 1 [0027.536] lstrcmpiW (lpString1="BCD", lpString2="System Volume Information") returned -1 [0027.536] lstrcmpiW (lpString1="BCD", lpString2="Program Files") returned -1 [0027.536] lstrcmpiW (lpString1="BCD", lpString2="Program Files (x86)") returned -1 [0027.536] wnsprintfW (in: pszDest=0x542af8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\BCD") returned 15 [0027.536] StrStrIW (lpFirst="BCD", lpSrch=".for") returned 0x0 [0027.536] lstrcmpW (lpString1="BCD", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0027.536] lstrcmpW (lpString1="BCD", lpString2="taridd") returned -1 [0027.536] StrCmpNW (lpStr1="\\\\?\\C:\\Boot\\BCD", lpStr2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\3pRMMVYZl7L6YCH05Qf1aBB2Nvhrv3", nChar=122) returned -1 [0027.536] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\BCD" (normalized: "c:\\boot\\bcd"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0027.536] FindNextFileW (in: hFindFile=0x535aa0, lpFindFileData=0x2d8f580 | out: lpFindFileData=0x2d8f580*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0xac2e8a60, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac2e8a60, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0x469b3b00, ftLastWriteTime.dwHighDateTime=0x1d4d596, nFileSizeHigh=0x0, nFileSizeLow=0x5400, dwReserved0=0x650052, dwReserved1=0x790063, cFileName="BCD.LOG", cAlternateFileName="")) returned 1 [0027.536] lstrcmpiW (lpString1="BCD.LOG", lpString2="Windows") returned -1 [0027.536] lstrcmpiW (lpString1="BCD.LOG", lpString2="$Recycle.bin") returned 1 [0027.536] lstrcmpiW (lpString1="BCD.LOG", lpString2="System Volume Information") returned -1 [0027.536] lstrcmpiW (lpString1="BCD.LOG", lpString2="Program Files") returned -1 [0027.536] lstrcmpiW (lpString1="BCD.LOG", lpString2="Program Files (x86)") returned -1 [0027.536] wnsprintfW (in: pszDest=0x542af8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\BCD.LOG") returned 19 [0027.536] StrStrIW (lpFirst="BCD.LOG", lpSrch=".for") returned 0x0 [0027.536] lstrcmpW (lpString1="BCD.LOG", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0027.536] lstrcmpW (lpString1="BCD.LOG", lpString2="taridd") returned -1 [0027.536] StrCmpNW (lpStr1="\\\\?\\C:\\Boot\\BCD.LOG", lpStr2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\3pRMMVYZl7L6YCH05Qf1aBB2Nvhrv3", nChar=122) returned -1 [0027.536] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\BCD.LOG" (normalized: "c:\\boot\\bcd.log"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0027.537] FindNextFileW (in: hFindFile=0x535aa0, lpFindFileData=0x2d8f580 | out: lpFindFileData=0x2d8f580*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0xac30ebc0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac30ebc0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac30ebc0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x650052, dwReserved1=0x790063, cFileName="BCD.LOG1", cAlternateFileName="BCD~1.LOG")) returned 1 [0027.537] lstrcmpiW (lpString1="BCD.LOG1", lpString2="Windows") returned -1 [0027.537] lstrcmpiW (lpString1="BCD.LOG1", lpString2="$Recycle.bin") returned 1 [0027.537] lstrcmpiW (lpString1="BCD.LOG1", lpString2="System Volume Information") returned -1 [0027.537] lstrcmpiW (lpString1="BCD.LOG1", lpString2="Program Files") returned -1 [0027.537] lstrcmpiW (lpString1="BCD.LOG1", lpString2="Program Files (x86)") returned -1 [0027.537] wnsprintfW (in: pszDest=0x542af8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\BCD.LOG1") returned 20 [0027.537] StrStrIW (lpFirst="BCD.LOG1", lpSrch=".for") returned 0x0 [0027.537] lstrcmpW (lpString1="BCD.LOG1", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0027.537] lstrcmpW (lpString1="BCD.LOG1", lpString2="taridd") returned -1 [0027.537] StrCmpNW (lpStr1="\\\\?\\C:\\Boot\\BCD.LOG1", lpStr2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\3pRMMVYZl7L6YCH05Qf1aBB2Nvhrv3", nChar=122) returned -1 [0027.537] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\BCD.LOG1" (normalized: "c:\\boot\\bcd.log1"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x140 [0027.537] GetTickCount () returned 0x1141b5e [0027.537] GetTickCount () returned 0x1141b5e [0027.537] GetTickCount () returned 0x1141b5e [0027.537] GetTickCount () returned 0x1141b5e [0027.537] CryptEncrypt (in: hKey=0x4ff5a8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d8f490*, pdwDataLen=0x2d8f540*=0x2c, dwBufLen=0x80 | out: pbData=0x2d8f490*, pdwDataLen=0x2d8f540*=0x80) returned 1 [0027.538] GetProcessHeap () returned 0x4e0000 [0027.538] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x2800) returned 0x5310a8 [0027.538] ReadFile (in: hFile=0x140, lpBuffer=0x5310a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2d8f544, lpOverlapped=0x0 | out: lpBuffer=0x5310a8*, lpNumberOfBytesRead=0x2d8f544*=0x0, lpOverlapped=0x0) returned 1 [0027.538] SetFilePointerEx (in: hFile=0x140, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0027.538] WriteFile (in: hFile=0x140, lpBuffer=0x5310a8*, nNumberOfBytesToWrite=0x0, lpNumberOfBytesWritten=0x2d8f544, lpOverlapped=0x0 | out: lpBuffer=0x5310a8*, lpNumberOfBytesWritten=0x2d8f544*=0x0, lpOverlapped=0x0) returned 1 [0027.538] GetProcessHeap () returned 0x4e0000 [0027.538] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x5310a8 | out: hHeap=0x4e0000) returned 1 [0027.538] SetFilePointerEx (in: hFile=0x140, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0027.538] WriteFile (in: hFile=0x140, lpBuffer=0x4ffe10*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x2d8f544, lpOverlapped=0x0 | out: lpBuffer=0x4ffe10*, lpNumberOfBytesWritten=0x2d8f544*=0x300, lpOverlapped=0x0) returned 1 [0027.539] WriteFile (in: hFile=0x140, lpBuffer=0x2d8f490*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x2d8f544, lpOverlapped=0x0 | out: lpBuffer=0x2d8f490*, lpNumberOfBytesWritten=0x2d8f544*=0x80, lpOverlapped=0x0) returned 1 [0027.539] WriteFile (in: hFile=0x140, lpBuffer=0x186230*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2d8f544, lpOverlapped=0x0 | out: lpBuffer=0x186230*, lpNumberOfBytesWritten=0x2d8f544*=0x4, lpOverlapped=0x0) returned 1 [0027.539] CloseHandle (hObject=0x140) returned 1 [0027.540] GetProcessHeap () returned 0x4e0000 [0027.540] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x400) returned 0x5306d0 [0027.540] wnsprintfW (in: pszDest=0x5306d0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\Boot\\BCD.LOG1_forv_{KNUJ5K}.for") returned 38 [0027.540] MoveFileW (lpExistingFileName="\\\\?\\C:\\Boot\\BCD.LOG1" (normalized: "c:\\boot\\bcd.log1"), lpNewFileName="\\\\?\\C:\\Boot\\BCD.LOG1_forv_{KNUJ5K}.for" (normalized: "c:\\boot\\bcd.log1_forv_{knuj5k}.for")) returned 1 [0027.540] GetProcessHeap () returned 0x4e0000 [0027.540] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x5306d0 | out: hHeap=0x4e0000) returned 1 [0027.541] FindNextFileW (in: hFindFile=0x535aa0, lpFindFileData=0x2d8f580 | out: lpFindFileData=0x2d8f580*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0xac30ebc0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac30ebc0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac30ebc0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x650052, dwReserved1=0x790063, cFileName="BCD.LOG2", cAlternateFileName="BCD~2.LOG")) returned 1 [0027.541] lstrcmpiW (lpString1="BCD.LOG2", lpString2="Windows") returned -1 [0027.541] lstrcmpiW (lpString1="BCD.LOG2", lpString2="$Recycle.bin") returned 1 [0027.541] lstrcmpiW (lpString1="BCD.LOG2", lpString2="System Volume Information") returned -1 [0027.541] lstrcmpiW (lpString1="BCD.LOG2", lpString2="Program Files") returned -1 [0027.541] lstrcmpiW (lpString1="BCD.LOG2", lpString2="Program Files (x86)") returned -1 [0027.541] wnsprintfW (in: pszDest=0x542af8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\BCD.LOG2") returned 20 [0027.541] StrStrIW (lpFirst="BCD.LOG2", lpSrch=".for") returned 0x0 [0027.541] lstrcmpW (lpString1="BCD.LOG2", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0027.541] lstrcmpW (lpString1="BCD.LOG2", lpString2="taridd") returned -1 [0027.541] StrCmpNW (lpStr1="\\\\?\\C:\\Boot\\BCD.LOG2", lpStr2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\3pRMMVYZl7L6YCH05Qf1aBB2Nvhrv3", nChar=122) returned -1 [0027.541] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\BCD.LOG2" (normalized: "c:\\boot\\bcd.log2"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x140 [0027.541] GetTickCount () returned 0x1141b5e [0027.541] GetTickCount () returned 0x1141b5e [0027.541] GetTickCount () returned 0x1141b5e [0027.541] GetTickCount () returned 0x1141b5e [0027.541] CryptEncrypt (in: hKey=0x4ff5a8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d8f490*, pdwDataLen=0x2d8f540*=0x2c, dwBufLen=0x80 | out: pbData=0x2d8f490*, pdwDataLen=0x2d8f540*=0x80) returned 1 [0027.541] GetProcessHeap () returned 0x4e0000 [0027.541] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x2800) returned 0x5310a8 [0027.541] ReadFile (in: hFile=0x140, lpBuffer=0x5310a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2d8f544, lpOverlapped=0x0 | out: lpBuffer=0x5310a8*, lpNumberOfBytesRead=0x2d8f544*=0x0, lpOverlapped=0x0) returned 1 [0027.541] SetFilePointerEx (in: hFile=0x140, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0027.541] WriteFile (in: hFile=0x140, lpBuffer=0x5310a8*, nNumberOfBytesToWrite=0x0, lpNumberOfBytesWritten=0x2d8f544, lpOverlapped=0x0 | out: lpBuffer=0x5310a8*, lpNumberOfBytesWritten=0x2d8f544*=0x0, lpOverlapped=0x0) returned 1 [0027.541] GetProcessHeap () returned 0x4e0000 [0027.542] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x5310a8 | out: hHeap=0x4e0000) returned 1 [0027.542] SetFilePointerEx (in: hFile=0x140, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0027.542] WriteFile (in: hFile=0x140, lpBuffer=0x4ffe10*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x2d8f544, lpOverlapped=0x0 | out: lpBuffer=0x4ffe10*, lpNumberOfBytesWritten=0x2d8f544*=0x300, lpOverlapped=0x0) returned 1 [0027.542] WriteFile (in: hFile=0x140, lpBuffer=0x2d8f490*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x2d8f544, lpOverlapped=0x0 | out: lpBuffer=0x2d8f490*, lpNumberOfBytesWritten=0x2d8f544*=0x80, lpOverlapped=0x0) returned 1 [0027.542] WriteFile (in: hFile=0x140, lpBuffer=0x186230*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2d8f544, lpOverlapped=0x0 | out: lpBuffer=0x186230*, lpNumberOfBytesWritten=0x2d8f544*=0x4, lpOverlapped=0x0) returned 1 [0027.543] CloseHandle (hObject=0x140) returned 1 [0027.543] GetProcessHeap () returned 0x4e0000 [0027.543] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x400) returned 0x5306d0 [0027.543] wnsprintfW (in: pszDest=0x5306d0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\Boot\\BCD.LOG2_forv_{KNUJ5K}.for") returned 38 [0027.543] MoveFileW (lpExistingFileName="\\\\?\\C:\\Boot\\BCD.LOG2" (normalized: "c:\\boot\\bcd.log2"), lpNewFileName="\\\\?\\C:\\Boot\\BCD.LOG2_forv_{KNUJ5K}.for" (normalized: "c:\\boot\\bcd.log2_forv_{knuj5k}.for")) returned 1 [0027.544] GetProcessHeap () returned 0x4e0000 [0027.544] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x5306d0 | out: hHeap=0x4e0000) returned 1 [0027.544] FindNextFileW (in: hFindFile=0x535aa0, lpFindFileData=0x2d8f580 | out: lpFindFileData=0x2d8f580*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0xac0f9880, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0f9880, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0f9880, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x10000, dwReserved0=0x650052, dwReserved1=0x790063, cFileName="BOOTSTAT.DAT", cAlternateFileName="")) returned 1 [0027.544] lstrcmpiW (lpString1="BOOTSTAT.DAT", lpString2="Windows") returned -1 [0027.544] lstrcmpiW (lpString1="BOOTSTAT.DAT", lpString2="$Recycle.bin") returned 1 [0027.544] lstrcmpiW (lpString1="BOOTSTAT.DAT", lpString2="System Volume Information") returned -1 [0027.544] lstrcmpiW (lpString1="BOOTSTAT.DAT", lpString2="Program Files") returned -1 [0027.544] lstrcmpiW (lpString1="BOOTSTAT.DAT", lpString2="Program Files (x86)") returned -1 [0027.544] wnsprintfW (in: pszDest=0x542af8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\BOOTSTAT.DAT") returned 24 [0027.544] StrStrIW (lpFirst="BOOTSTAT.DAT", lpSrch=".for") returned 0x0 [0027.544] lstrcmpW (lpString1="BOOTSTAT.DAT", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0027.544] lstrcmpW (lpString1="BOOTSTAT.DAT", lpString2="taridd") returned -1 [0027.544] StrCmpNW (lpStr1="\\\\?\\C:\\Boot\\BOOTSTAT.DAT", lpStr2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\3pRMMVYZl7L6YCH05Qf1aBB2Nvhrv3", nChar=122) returned -1 [0027.544] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\BOOTSTAT.DAT" (normalized: "c:\\boot\\bootstat.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x140 [0027.557] GetTickCount () returned 0x1141b6d [0027.557] GetTickCount () returned 0x1141b6d [0027.557] GetTickCount () returned 0x1141b6d [0027.557] GetTickCount () returned 0x1141b6d [0027.557] CryptEncrypt (in: hKey=0x4ff5a8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d8f490*, pdwDataLen=0x2d8f540*=0x2c, dwBufLen=0x80 | out: pbData=0x2d8f490*, pdwDataLen=0x2d8f540*=0x80) returned 1 [0027.557] GetProcessHeap () returned 0x4e0000 [0027.557] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x2800) returned 0x5310a8 [0027.557] ReadFile (in: hFile=0x140, lpBuffer=0x5310a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2d8f544, lpOverlapped=0x0 | out: lpBuffer=0x5310a8*, lpNumberOfBytesRead=0x2d8f544*=0x2800, lpOverlapped=0x0) returned 1 [0027.562] SetFilePointerEx (in: hFile=0x140, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0027.562] WriteFile (in: hFile=0x140, lpBuffer=0x5310a8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2d8f544, lpOverlapped=0x0 | out: lpBuffer=0x5310a8*, lpNumberOfBytesWritten=0x2d8f544*=0x2800, lpOverlapped=0x0) returned 1 [0027.562] GetProcessHeap () returned 0x4e0000 [0027.562] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x5310a8 | out: hHeap=0x4e0000) returned 1 [0027.562] SetFilePointerEx (in: hFile=0x140, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0027.562] WriteFile (in: hFile=0x140, lpBuffer=0x4ffe10*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x2d8f544, lpOverlapped=0x0 | out: lpBuffer=0x4ffe10*, lpNumberOfBytesWritten=0x2d8f544*=0x300, lpOverlapped=0x0) returned 1 [0027.562] WriteFile (in: hFile=0x140, lpBuffer=0x2d8f490*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x2d8f544, lpOverlapped=0x0 | out: lpBuffer=0x2d8f490*, lpNumberOfBytesWritten=0x2d8f544*=0x80, lpOverlapped=0x0) returned 1 [0027.563] WriteFile (in: hFile=0x140, lpBuffer=0x186230*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2d8f544, lpOverlapped=0x0 | out: lpBuffer=0x186230*, lpNumberOfBytesWritten=0x2d8f544*=0x4, lpOverlapped=0x0) returned 1 [0027.563] CloseHandle (hObject=0x140) returned 1 [0027.564] GetProcessHeap () returned 0x4e0000 [0027.564] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x400) returned 0x5306d0 [0027.564] wnsprintfW (in: pszDest=0x5306d0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\Boot\\BOOTSTAT.DAT_forv_{KNUJ5K}.for") returned 42 [0027.564] MoveFileW (lpExistingFileName="\\\\?\\C:\\Boot\\BOOTSTAT.DAT" (normalized: "c:\\boot\\bootstat.dat"), lpNewFileName="\\\\?\\C:\\Boot\\BOOTSTAT.DAT_forv_{KNUJ5K}.for" (normalized: "c:\\boot\\bootstat.dat_forv_{knuj5k}.for")) returned 1 [0027.564] GetProcessHeap () returned 0x4e0000 [0027.564] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x5306d0 | out: hHeap=0x4e0000) returned 1 [0027.564] FindNextFileW (in: hFindFile=0x535aa0, lpFindFileData=0x2d8f580 | out: lpFindFileData=0x2d8f580*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac015040, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac015040, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac015040, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x650052, dwReserved1=0x790063, cFileName="cs-CZ", cAlternateFileName="")) returned 1 [0027.564] lstrcmpiW (lpString1="cs-CZ", lpString2="Windows") returned -1 [0027.564] lstrcmpiW (lpString1="cs-CZ", lpString2="$Recycle.bin") returned 1 [0027.564] lstrcmpiW (lpString1="cs-CZ", lpString2="System Volume Information") returned -1 [0027.564] lstrcmpiW (lpString1="cs-CZ", lpString2="Program Files") returned -1 [0027.564] lstrcmpiW (lpString1="cs-CZ", lpString2="Program Files (x86)") returned -1 [0027.564] wnsprintfW (in: pszDest=0x542af8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\cs-CZ") returned 17 [0027.564] lstrcmpW (lpString1="cs-CZ", lpString2=".") returned 1 [0027.564] lstrcmpW (lpString1="cs-CZ", lpString2="..") returned 1 [0027.564] lstrcmpW (lpString1="\\\\?\\C:\\Boot\\cs-CZ", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0027.564] GetProcessHeap () returned 0x4e0000 [0027.565] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x400) returned 0x5306d0 [0027.565] wnsprintfW (in: pszDest=0x5306d0, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Boot\\cs-CZ\\*") returned 19 [0027.565] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Boot\\cs-CZ\\*", lpFindFileData=0x2d8f2f8 | out: lpFindFileData=0x2d8f2f8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac015040, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac015040, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac015040, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5306c8, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x535ae0 [0027.565] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0027.565] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0027.565] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0027.565] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0027.565] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0027.565] wnsprintfW (in: pszDest=0x5306d0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\cs-CZ\\.") returned 19 [0027.565] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0027.565] FindNextFileW (in: hFindFile=0x535ae0, lpFindFileData=0x2d8f2f8 | out: lpFindFileData=0x2d8f2f8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac015040, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac015040, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac015040, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5306c8, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0027.565] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0027.565] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0027.565] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0027.565] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0027.565] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0027.565] wnsprintfW (in: pszDest=0x5306d0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\cs-CZ\\..") returned 20 [0027.565] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0027.565] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0027.565] FindNextFileW (in: hFindFile=0x535ae0, lpFindFileData=0x2d8f2f8 | out: lpFindFileData=0x2d8f2f8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac015040, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac015040, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe88a2888, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x15c50, dwReserved0=0x5306c8, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0027.565] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Windows") returned -1 [0027.565] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="$Recycle.bin") returned 1 [0027.565] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="System Volume Information") returned -1 [0027.565] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Program Files") returned -1 [0027.565] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Program Files (x86)") returned -1 [0027.565] wnsprintfW (in: pszDest=0x5306d0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\cs-CZ\\bootmgr.exe.mui") returned 33 [0027.565] StrStrIW (lpFirst="bootmgr.exe.mui", lpSrch=".for") returned 0x0 [0027.566] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0027.566] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="taridd") returned -1 [0027.566] StrCmpNW (lpStr1="\\\\?\\C:\\Boot\\cs-CZ\\bootmgr.exe.mui", lpStr2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\3pRMMVYZl7L6YCH05Qf1aBB2Nvhrv3", nChar=122) returned -1 [0027.566] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\cs-CZ\\bootmgr.exe.mui" (normalized: "c:\\boot\\cs-cz\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0027.566] FindNextFileW (in: hFindFile=0x535ae0, lpFindFileData=0x2d8f2f8 | out: lpFindFileData=0x2d8f2f8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac015040, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac015040, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe88a2888, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x15c50, dwReserved0=0x5306c8, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 0 [0027.566] FindClose (in: hFindFile=0x535ae0 | out: hFindFile=0x535ae0) returned 1 [0027.566] wnsprintfW (in: pszDest=0x5306d0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\cs-CZ\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 49 [0027.566] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\cs-CZ\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\boot\\cs-cz\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x140 [0027.566] WriteFile (in: hFile=0x140, lpBuffer=0x186440*, nNumberOfBytesToWrite=0x2b0, lpNumberOfBytesWritten=0x2d8f2c4, lpOverlapped=0x0 | out: lpBuffer=0x186440*, lpNumberOfBytesWritten=0x2d8f2c4*=0x2b0, lpOverlapped=0x0) returned 1 [0027.567] CloseHandle (hObject=0x140) returned 1 [0027.567] GetProcessHeap () returned 0x4e0000 [0027.567] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x5306d0 | out: hHeap=0x4e0000) returned 1 [0027.568] FindNextFileW (in: hFindFile=0x535aa0, lpFindFileData=0x2d8f580 | out: lpFindFileData=0x2d8f580*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac015040, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac03b1a0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac03b1a0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x650052, dwReserved1=0x790063, cFileName="da-DK", cAlternateFileName="")) returned 1 [0027.568] lstrcmpiW (lpString1="da-DK", lpString2="Windows") returned -1 [0027.568] lstrcmpiW (lpString1="da-DK", lpString2="$Recycle.bin") returned 1 [0027.568] lstrcmpiW (lpString1="da-DK", lpString2="System Volume Information") returned -1 [0027.568] lstrcmpiW (lpString1="da-DK", lpString2="Program Files") returned -1 [0027.568] lstrcmpiW (lpString1="da-DK", lpString2="Program Files (x86)") returned -1 [0027.568] wnsprintfW (in: pszDest=0x542af8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\da-DK") returned 17 [0027.568] lstrcmpW (lpString1="da-DK", lpString2=".") returned 1 [0027.568] lstrcmpW (lpString1="da-DK", lpString2="..") returned 1 [0027.568] lstrcmpW (lpString1="\\\\?\\C:\\Boot\\da-DK", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0027.568] GetProcessHeap () returned 0x4e0000 [0027.568] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x400) returned 0x5306d0 [0027.568] wnsprintfW (in: pszDest=0x5306d0, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Boot\\da-DK\\*") returned 19 [0027.568] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Boot\\da-DK\\*", lpFindFileData=0x2d8f2f8 | out: lpFindFileData=0x2d8f2f8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac015040, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac03b1a0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac03b1a0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5306c8, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x535ae0 [0027.568] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0027.568] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0027.568] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0027.568] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0027.568] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0027.568] wnsprintfW (in: pszDest=0x5306d0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\da-DK\\.") returned 19 [0027.568] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0027.568] FindNextFileW (in: hFindFile=0x535ae0, lpFindFileData=0x2d8f2f8 | out: lpFindFileData=0x2d8f2f8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac015040, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac03b1a0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac03b1a0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5306c8, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0027.568] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0027.568] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0027.568] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0027.568] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0027.568] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0027.568] wnsprintfW (in: pszDest=0x5306d0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\da-DK\\..") returned 20 [0027.568] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0027.569] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0027.569] FindNextFileW (in: hFindFile=0x535ae0, lpFindFileData=0x2d8f2f8 | out: lpFindFileData=0x2d8f2f8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac03b1a0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac03b1a0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe868d5aa, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x15640, dwReserved0=0x5306c8, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0027.569] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Windows") returned -1 [0027.569] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="$Recycle.bin") returned 1 [0027.569] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="System Volume Information") returned -1 [0027.569] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Program Files") returned -1 [0027.569] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Program Files (x86)") returned -1 [0027.569] wnsprintfW (in: pszDest=0x5306d0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\da-DK\\bootmgr.exe.mui") returned 33 [0027.569] StrStrIW (lpFirst="bootmgr.exe.mui", lpSrch=".for") returned 0x0 [0027.569] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0027.569] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="taridd") returned -1 [0027.569] StrCmpNW (lpStr1="\\\\?\\C:\\Boot\\da-DK\\bootmgr.exe.mui", lpStr2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\3pRMMVYZl7L6YCH05Qf1aBB2Nvhrv3", nChar=122) returned -1 [0027.569] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\da-DK\\bootmgr.exe.mui" (normalized: "c:\\boot\\da-dk\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0027.569] FindNextFileW (in: hFindFile=0x535ae0, lpFindFileData=0x2d8f2f8 | out: lpFindFileData=0x2d8f2f8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac03b1a0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac03b1a0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe868d5aa, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x15640, dwReserved0=0x5306c8, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 0 [0027.570] FindClose (in: hFindFile=0x535ae0 | out: hFindFile=0x535ae0) returned 1 [0027.570] wnsprintfW (in: pszDest=0x5306d0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\da-DK\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 49 [0027.570] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\da-DK\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\boot\\da-dk\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x140 [0027.570] WriteFile (in: hFile=0x140, lpBuffer=0x186440*, nNumberOfBytesToWrite=0x2b0, lpNumberOfBytesWritten=0x2d8f2c4, lpOverlapped=0x0 | out: lpBuffer=0x186440*, lpNumberOfBytesWritten=0x2d8f2c4*=0x2b0, lpOverlapped=0x0) returned 1 [0027.571] CloseHandle (hObject=0x140) returned 1 [0027.571] GetProcessHeap () returned 0x4e0000 [0027.571] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x5306d0 | out: hHeap=0x4e0000) returned 1 [0027.571] FindNextFileW (in: hFindFile=0x535aa0, lpFindFileData=0x2d8f580 | out: lpFindFileData=0x2d8f580*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac03b1a0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac03b1a0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac03b1a0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x650052, dwReserved1=0x790063, cFileName="de-DE", cAlternateFileName="")) returned 1 [0027.571] lstrcmpiW (lpString1="de-DE", lpString2="Windows") returned -1 [0027.571] lstrcmpiW (lpString1="de-DE", lpString2="$Recycle.bin") returned 1 [0027.571] lstrcmpiW (lpString1="de-DE", lpString2="System Volume Information") returned -1 [0027.571] lstrcmpiW (lpString1="de-DE", lpString2="Program Files") returned -1 [0027.571] lstrcmpiW (lpString1="de-DE", lpString2="Program Files (x86)") returned -1 [0027.571] wnsprintfW (in: pszDest=0x542af8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\de-DE") returned 17 [0027.571] lstrcmpW (lpString1="de-DE", lpString2=".") returned 1 [0027.571] lstrcmpW (lpString1="de-DE", lpString2="..") returned 1 [0027.571] lstrcmpW (lpString1="\\\\?\\C:\\Boot\\de-DE", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0027.571] GetProcessHeap () returned 0x4e0000 [0027.571] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x400) returned 0x5306d0 [0027.571] wnsprintfW (in: pszDest=0x5306d0, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Boot\\de-DE\\*") returned 19 [0027.571] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Boot\\de-DE\\*", lpFindFileData=0x2d8f2f8 | out: lpFindFileData=0x2d8f2f8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac03b1a0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac03b1a0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac03b1a0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5306c8, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x535ae0 [0027.571] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0027.571] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0027.572] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0027.572] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0027.572] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0027.572] wnsprintfW (in: pszDest=0x5306d0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\de-DE\\.") returned 19 [0027.572] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0027.572] FindNextFileW (in: hFindFile=0x535ae0, lpFindFileData=0x2d8f2f8 | out: lpFindFileData=0x2d8f2f8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac03b1a0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac03b1a0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac03b1a0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5306c8, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0027.572] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0027.572] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0027.572] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0027.572] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0027.572] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0027.572] wnsprintfW (in: pszDest=0x5306d0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\de-DE\\..") returned 20 [0027.572] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0027.572] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0027.572] FindNextFileW (in: hFindFile=0x535ae0, lpFindFileData=0x2d8f2f8 | out: lpFindFileData=0x2d8f2f8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac03b1a0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac03b1a0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe8132526, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x16640, dwReserved0=0x5306c8, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0027.572] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Windows") returned -1 [0027.572] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="$Recycle.bin") returned 1 [0027.572] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="System Volume Information") returned -1 [0027.572] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Program Files") returned -1 [0027.572] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Program Files (x86)") returned -1 [0027.572] wnsprintfW (in: pszDest=0x5306d0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\de-DE\\bootmgr.exe.mui") returned 33 [0027.572] StrStrIW (lpFirst="bootmgr.exe.mui", lpSrch=".for") returned 0x0 [0027.572] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0027.572] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="taridd") returned -1 [0027.572] StrCmpNW (lpStr1="\\\\?\\C:\\Boot\\de-DE\\bootmgr.exe.mui", lpStr2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\3pRMMVYZl7L6YCH05Qf1aBB2Nvhrv3", nChar=122) returned -1 [0027.572] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\de-DE\\bootmgr.exe.mui" (normalized: "c:\\boot\\de-de\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0027.572] FindNextFileW (in: hFindFile=0x535ae0, lpFindFileData=0x2d8f2f8 | out: lpFindFileData=0x2d8f2f8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac03b1a0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac03b1a0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe8132526, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x16640, dwReserved0=0x5306c8, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 0 [0027.572] FindClose (in: hFindFile=0x535ae0 | out: hFindFile=0x535ae0) returned 1 [0027.572] wnsprintfW (in: pszDest=0x5306d0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\de-DE\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 49 [0027.572] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\de-DE\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\boot\\de-de\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x140 [0027.573] WriteFile (in: hFile=0x140, lpBuffer=0x186440*, nNumberOfBytesToWrite=0x2b0, lpNumberOfBytesWritten=0x2d8f2c4, lpOverlapped=0x0 | out: lpBuffer=0x186440*, lpNumberOfBytesWritten=0x2d8f2c4*=0x2b0, lpOverlapped=0x0) returned 1 [0027.574] CloseHandle (hObject=0x140) returned 1 [0027.574] GetProcessHeap () returned 0x4e0000 [0027.574] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x5306d0 | out: hHeap=0x4e0000) returned 1 [0027.574] FindNextFileW (in: hFindFile=0x535aa0, lpFindFileData=0x2d8f580 | out: lpFindFileData=0x2d8f580*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac03b1a0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac03b1a0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac03b1a0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x650052, dwReserved1=0x790063, cFileName="el-GR", cAlternateFileName="")) returned 1 [0027.574] lstrcmpiW (lpString1="el-GR", lpString2="Windows") returned -1 [0027.574] lstrcmpiW (lpString1="el-GR", lpString2="$Recycle.bin") returned 1 [0027.574] lstrcmpiW (lpString1="el-GR", lpString2="System Volume Information") returned -1 [0027.574] lstrcmpiW (lpString1="el-GR", lpString2="Program Files") returned -1 [0027.574] lstrcmpiW (lpString1="el-GR", lpString2="Program Files (x86)") returned -1 [0027.574] wnsprintfW (in: pszDest=0x542af8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\el-GR") returned 17 [0027.574] lstrcmpW (lpString1="el-GR", lpString2=".") returned 1 [0027.574] lstrcmpW (lpString1="el-GR", lpString2="..") returned 1 [0027.574] lstrcmpW (lpString1="\\\\?\\C:\\Boot\\el-GR", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0027.574] GetProcessHeap () returned 0x4e0000 [0027.574] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x400) returned 0x5306d0 [0027.574] wnsprintfW (in: pszDest=0x5306d0, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Boot\\el-GR\\*") returned 19 [0027.574] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Boot\\el-GR\\*", lpFindFileData=0x2d8f2f8 | out: lpFindFileData=0x2d8f2f8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac03b1a0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac03b1a0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac03b1a0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5306c8, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x535ae0 [0027.574] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0027.574] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0027.574] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0027.574] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0027.574] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0027.574] wnsprintfW (in: pszDest=0x5306d0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\el-GR\\.") returned 19 [0027.574] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0027.575] FindNextFileW (in: hFindFile=0x535ae0, lpFindFileData=0x2d8f2f8 | out: lpFindFileData=0x2d8f2f8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac03b1a0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac03b1a0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac03b1a0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5306c8, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0027.575] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0027.575] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0027.575] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0027.575] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0027.575] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0027.575] wnsprintfW (in: pszDest=0x5306d0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\el-GR\\..") returned 20 [0027.575] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0027.575] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0027.575] FindNextFileW (in: hFindFile=0x535ae0, lpFindFileData=0x2d8f2f8 | out: lpFindFileData=0x2d8f2f8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac03b1a0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac03b1a0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xea239054, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x17250, dwReserved0=0x5306c8, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0027.575] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Windows") returned -1 [0027.575] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="$Recycle.bin") returned 1 [0027.575] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="System Volume Information") returned -1 [0027.575] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Program Files") returned -1 [0027.575] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Program Files (x86)") returned -1 [0027.575] wnsprintfW (in: pszDest=0x5306d0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\el-GR\\bootmgr.exe.mui") returned 33 [0027.575] StrStrIW (lpFirst="bootmgr.exe.mui", lpSrch=".for") returned 0x0 [0027.575] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0027.575] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="taridd") returned -1 [0027.575] StrCmpNW (lpStr1="\\\\?\\C:\\Boot\\el-GR\\bootmgr.exe.mui", lpStr2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\3pRMMVYZl7L6YCH05Qf1aBB2Nvhrv3", nChar=122) returned -1 [0027.575] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\el-GR\\bootmgr.exe.mui" (normalized: "c:\\boot\\el-gr\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0027.576] FindNextFileW (in: hFindFile=0x535ae0, lpFindFileData=0x2d8f2f8 | out: lpFindFileData=0x2d8f2f8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac03b1a0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac03b1a0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xea239054, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x17250, dwReserved0=0x5306c8, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 0 [0027.576] FindClose (in: hFindFile=0x535ae0 | out: hFindFile=0x535ae0) returned 1 [0027.576] wnsprintfW (in: pszDest=0x5306d0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\el-GR\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 49 [0027.576] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\el-GR\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\boot\\el-gr\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x140 [0027.576] WriteFile (in: hFile=0x140, lpBuffer=0x186440*, nNumberOfBytesToWrite=0x2b0, lpNumberOfBytesWritten=0x2d8f2c4, lpOverlapped=0x0 | out: lpBuffer=0x186440*, lpNumberOfBytesWritten=0x2d8f2c4*=0x2b0, lpOverlapped=0x0) returned 1 [0027.577] CloseHandle (hObject=0x140) returned 1 [0027.577] GetProcessHeap () returned 0x4e0000 [0027.577] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x5306d0 | out: hHeap=0x4e0000) returned 1 [0027.577] FindNextFileW (in: hFindFile=0x535aa0, lpFindFileData=0x2d8f580 | out: lpFindFileData=0x2d8f580*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac03b1a0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac03b1a0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac03b1a0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x650052, dwReserved1=0x790063, cFileName="en-US", cAlternateFileName="")) returned 1 [0027.577] lstrcmpiW (lpString1="en-US", lpString2="Windows") returned -1 [0027.578] lstrcmpiW (lpString1="en-US", lpString2="$Recycle.bin") returned 1 [0027.578] lstrcmpiW (lpString1="en-US", lpString2="System Volume Information") returned -1 [0027.578] lstrcmpiW (lpString1="en-US", lpString2="Program Files") returned -1 [0027.578] lstrcmpiW (lpString1="en-US", lpString2="Program Files (x86)") returned -1 [0027.578] wnsprintfW (in: pszDest=0x542af8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\en-US") returned 17 [0027.578] lstrcmpW (lpString1="en-US", lpString2=".") returned 1 [0027.578] lstrcmpW (lpString1="en-US", lpString2="..") returned 1 [0027.578] lstrcmpW (lpString1="\\\\?\\C:\\Boot\\en-US", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0027.578] GetProcessHeap () returned 0x4e0000 [0027.578] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x400) returned 0x5306d0 [0027.578] wnsprintfW (in: pszDest=0x5306d0, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Boot\\en-US\\*") returned 19 [0027.578] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Boot\\en-US\\*", lpFindFileData=0x2d8f2f8 | out: lpFindFileData=0x2d8f2f8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac03b1a0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac03b1a0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac03b1a0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5306c8, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x535ae0 [0027.578] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0027.578] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0027.578] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0027.578] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0027.578] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0027.578] wnsprintfW (in: pszDest=0x5306d0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\en-US\\.") returned 19 [0027.578] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0027.578] FindNextFileW (in: hFindFile=0x535ae0, lpFindFileData=0x2d8f2f8 | out: lpFindFileData=0x2d8f2f8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac03b1a0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac03b1a0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac03b1a0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5306c8, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0027.578] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0027.578] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0027.578] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0027.578] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0027.578] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0027.578] wnsprintfW (in: pszDest=0x5306d0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\en-US\\..") returned 20 [0027.578] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0027.578] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0027.578] FindNextFileW (in: hFindFile=0x535ae0, lpFindFileData=0x2d8f2f8 | out: lpFindFileData=0x2d8f2f8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac03b1a0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac03b1a0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe8216d3c, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x14c40, dwReserved0=0x5306c8, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0027.579] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Windows") returned -1 [0027.579] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="$Recycle.bin") returned 1 [0027.579] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="System Volume Information") returned -1 [0027.579] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Program Files") returned -1 [0027.579] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Program Files (x86)") returned -1 [0027.579] wnsprintfW (in: pszDest=0x5306d0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\en-US\\bootmgr.exe.mui") returned 33 [0027.579] StrStrIW (lpFirst="bootmgr.exe.mui", lpSrch=".for") returned 0x0 [0027.579] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0027.579] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="taridd") returned -1 [0027.579] StrCmpNW (lpStr1="\\\\?\\C:\\Boot\\en-US\\bootmgr.exe.mui", lpStr2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\3pRMMVYZl7L6YCH05Qf1aBB2Nvhrv3", nChar=122) returned -1 [0027.579] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\en-US\\bootmgr.exe.mui" (normalized: "c:\\boot\\en-us\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0027.579] FindNextFileW (in: hFindFile=0x535ae0, lpFindFileData=0x2d8f2f8 | out: lpFindFileData=0x2d8f2f8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac03b1a0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac03b1a0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xc3080a8, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0xaa50, dwReserved0=0x5306c8, dwReserved1=0x0, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 1 [0027.579] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="Windows") returned -1 [0027.579] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="$Recycle.bin") returned 1 [0027.579] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="System Volume Information") returned -1 [0027.579] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="Program Files") returned -1 [0027.579] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="Program Files (x86)") returned -1 [0027.579] wnsprintfW (in: pszDest=0x5306d0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\en-US\\memtest.exe.mui") returned 33 [0027.579] StrStrIW (lpFirst="memtest.exe.mui", lpSrch=".for") returned 0x0 [0027.579] lstrcmpW (lpString1="memtest.exe.mui", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0027.579] lstrcmpW (lpString1="memtest.exe.mui", lpString2="taridd") returned -1 [0027.579] StrCmpNW (lpStr1="\\\\?\\C:\\Boot\\en-US\\memtest.exe.mui", lpStr2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\3pRMMVYZl7L6YCH05Qf1aBB2Nvhrv3", nChar=122) returned -1 [0027.579] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\en-US\\memtest.exe.mui" (normalized: "c:\\boot\\en-us\\memtest.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0027.579] FindNextFileW (in: hFindFile=0x535ae0, lpFindFileData=0x2d8f2f8 | out: lpFindFileData=0x2d8f2f8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac03b1a0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac03b1a0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xc3080a8, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0xaa50, dwReserved0=0x5306c8, dwReserved1=0x0, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 0 [0027.579] FindClose (in: hFindFile=0x535ae0 | out: hFindFile=0x535ae0) returned 1 [0027.579] wnsprintfW (in: pszDest=0x5306d0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\en-US\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 49 [0027.579] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\en-US\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\boot\\en-us\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x140 [0027.581] WriteFile (in: hFile=0x140, lpBuffer=0x186440*, nNumberOfBytesToWrite=0x2b0, lpNumberOfBytesWritten=0x2d8f2c4, lpOverlapped=0x0 | out: lpBuffer=0x186440*, lpNumberOfBytesWritten=0x2d8f2c4*=0x2b0, lpOverlapped=0x0) returned 1 [0027.582] CloseHandle (hObject=0x140) returned 1 [0027.582] GetProcessHeap () returned 0x4e0000 [0027.582] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x5306d0 | out: hHeap=0x4e0000) returned 1 [0027.582] FindNextFileW (in: hFindFile=0x535aa0, lpFindFileData=0x2d8f580 | out: lpFindFileData=0x2d8f580*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac03b1a0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac061300, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x650052, dwReserved1=0x790063, cFileName="es-ES", cAlternateFileName="")) returned 1 [0027.582] lstrcmpiW (lpString1="es-ES", lpString2="Windows") returned -1 [0027.582] lstrcmpiW (lpString1="es-ES", lpString2="$Recycle.bin") returned 1 [0027.582] lstrcmpiW (lpString1="es-ES", lpString2="System Volume Information") returned -1 [0027.582] lstrcmpiW (lpString1="es-ES", lpString2="Program Files") returned -1 [0027.582] lstrcmpiW (lpString1="es-ES", lpString2="Program Files (x86)") returned -1 [0027.582] wnsprintfW (in: pszDest=0x542af8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\es-ES") returned 17 [0027.583] lstrcmpW (lpString1="es-ES", lpString2=".") returned 1 [0027.583] lstrcmpW (lpString1="es-ES", lpString2="..") returned 1 [0027.583] lstrcmpW (lpString1="\\\\?\\C:\\Boot\\es-ES", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0027.583] GetProcessHeap () returned 0x4e0000 [0027.583] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x400) returned 0x5306d0 [0027.583] wnsprintfW (in: pszDest=0x5306d0, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Boot\\es-ES\\*") returned 19 [0027.583] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Boot\\es-ES\\*", lpFindFileData=0x2d8f2f8 | out: lpFindFileData=0x2d8f2f8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac03b1a0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac061300, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5306c8, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x535ae0 [0027.587] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0027.587] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0027.587] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0027.587] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0027.587] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0027.587] wnsprintfW (in: pszDest=0x5306d0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\es-ES\\.") returned 19 [0027.587] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0027.587] FindNextFileW (in: hFindFile=0x535ae0, lpFindFileData=0x2d8f2f8 | out: lpFindFileData=0x2d8f2f8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac03b1a0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac061300, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5306c8, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0027.587] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0027.587] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0027.587] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0027.587] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0027.587] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0027.587] wnsprintfW (in: pszDest=0x5306d0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\es-ES\\..") returned 20 [0027.587] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0027.587] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0027.587] FindNextFileW (in: hFindFile=0x535ae0, lpFindFileData=0x2d8f2f8 | out: lpFindFileData=0x2d8f2f8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac061300, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe84ea6d7, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x16050, dwReserved0=0x5306c8, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0027.587] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Windows") returned -1 [0027.587] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="$Recycle.bin") returned 1 [0027.587] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="System Volume Information") returned -1 [0027.587] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Program Files") returned -1 [0027.587] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Program Files (x86)") returned -1 [0027.588] wnsprintfW (in: pszDest=0x5306d0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\es-ES\\bootmgr.exe.mui") returned 33 [0027.588] StrStrIW (lpFirst="bootmgr.exe.mui", lpSrch=".for") returned 0x0 [0027.588] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0027.588] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="taridd") returned -1 [0027.588] StrCmpNW (lpStr1="\\\\?\\C:\\Boot\\es-ES\\bootmgr.exe.mui", lpStr2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\3pRMMVYZl7L6YCH05Qf1aBB2Nvhrv3", nChar=122) returned -1 [0027.588] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\es-ES\\bootmgr.exe.mui" (normalized: "c:\\boot\\es-es\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0027.588] FindNextFileW (in: hFindFile=0x535ae0, lpFindFileData=0x2d8f2f8 | out: lpFindFileData=0x2d8f2f8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac061300, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe84ea6d7, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x16050, dwReserved0=0x5306c8, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 0 [0027.588] FindClose (in: hFindFile=0x535ae0 | out: hFindFile=0x535ae0) returned 1 [0027.588] wnsprintfW (in: pszDest=0x5306d0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\es-ES\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 49 [0027.588] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\es-ES\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\boot\\es-es\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x140 [0027.588] WriteFile (in: hFile=0x140, lpBuffer=0x186440*, nNumberOfBytesToWrite=0x2b0, lpNumberOfBytesWritten=0x2d8f2c4, lpOverlapped=0x0 | out: lpBuffer=0x186440*, lpNumberOfBytesWritten=0x2d8f2c4*=0x2b0, lpOverlapped=0x0) returned 1 [0027.589] CloseHandle (hObject=0x140) returned 1 [0027.589] GetProcessHeap () returned 0x4e0000 [0027.589] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x5306d0 | out: hHeap=0x4e0000) returned 1 [0027.589] FindNextFileW (in: hFindFile=0x535aa0, lpFindFileData=0x2d8f580 | out: lpFindFileData=0x2d8f580*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac061300, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac061300, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x650052, dwReserved1=0x790063, cFileName="fi-FI", cAlternateFileName="")) returned 1 [0027.589] lstrcmpiW (lpString1="fi-FI", lpString2="Windows") returned -1 [0027.589] lstrcmpiW (lpString1="fi-FI", lpString2="$Recycle.bin") returned 1 [0027.589] lstrcmpiW (lpString1="fi-FI", lpString2="System Volume Information") returned -1 [0027.589] lstrcmpiW (lpString1="fi-FI", lpString2="Program Files") returned -1 [0027.589] lstrcmpiW (lpString1="fi-FI", lpString2="Program Files (x86)") returned -1 [0027.589] wnsprintfW (in: pszDest=0x542af8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\fi-FI") returned 17 [0027.589] lstrcmpW (lpString1="fi-FI", lpString2=".") returned 1 [0027.589] lstrcmpW (lpString1="fi-FI", lpString2="..") returned 1 [0027.589] lstrcmpW (lpString1="\\\\?\\C:\\Boot\\fi-FI", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0027.589] GetProcessHeap () returned 0x4e0000 [0027.589] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x400) returned 0x5306d0 [0027.589] wnsprintfW (in: pszDest=0x5306d0, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Boot\\fi-FI\\*") returned 19 [0027.590] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Boot\\fi-FI\\*", lpFindFileData=0x2d8f2f8 | out: lpFindFileData=0x2d8f2f8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac061300, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac061300, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5306c8, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x535ae0 [0027.590] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0027.590] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0027.590] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0027.590] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0027.590] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0027.590] wnsprintfW (in: pszDest=0x5306d0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\fi-FI\\.") returned 19 [0027.590] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0027.590] FindNextFileW (in: hFindFile=0x535ae0, lpFindFileData=0x2d8f2f8 | out: lpFindFileData=0x2d8f2f8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac061300, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac061300, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5306c8, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0027.590] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0027.590] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0027.590] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0027.590] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0027.590] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0027.590] wnsprintfW (in: pszDest=0x5306d0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\fi-FI\\..") returned 20 [0027.590] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0027.590] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0027.590] FindNextFileW (in: hFindFile=0x535ae0, lpFindFileData=0x2d8f2f8 | out: lpFindFileData=0x2d8f2f8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac061300, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe836d95d, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x15c40, dwReserved0=0x5306c8, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0027.590] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Windows") returned -1 [0027.590] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="$Recycle.bin") returned 1 [0027.590] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="System Volume Information") returned -1 [0027.590] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Program Files") returned -1 [0027.590] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Program Files (x86)") returned -1 [0027.590] wnsprintfW (in: pszDest=0x5306d0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\fi-FI\\bootmgr.exe.mui") returned 33 [0027.590] StrStrIW (lpFirst="bootmgr.exe.mui", lpSrch=".for") returned 0x0 [0027.590] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0027.591] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="taridd") returned -1 [0027.591] StrCmpNW (lpStr1="\\\\?\\C:\\Boot\\fi-FI\\bootmgr.exe.mui", lpStr2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\3pRMMVYZl7L6YCH05Qf1aBB2Nvhrv3", nChar=122) returned -1 [0027.591] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\fi-FI\\bootmgr.exe.mui" (normalized: "c:\\boot\\fi-fi\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0027.591] FindNextFileW (in: hFindFile=0x535ae0, lpFindFileData=0x2d8f2f8 | out: lpFindFileData=0x2d8f2f8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac061300, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe836d95d, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x15c40, dwReserved0=0x5306c8, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 0 [0027.591] FindClose (in: hFindFile=0x535ae0 | out: hFindFile=0x535ae0) returned 1 [0027.591] wnsprintfW (in: pszDest=0x5306d0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\fi-FI\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 49 [0027.591] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\fi-FI\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\boot\\fi-fi\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x140 [0027.591] WriteFile (in: hFile=0x140, lpBuffer=0x186440*, nNumberOfBytesToWrite=0x2b0, lpNumberOfBytesWritten=0x2d8f2c4, lpOverlapped=0x0 | out: lpBuffer=0x186440*, lpNumberOfBytesWritten=0x2d8f2c4*=0x2b0, lpOverlapped=0x0) returned 1 [0027.592] CloseHandle (hObject=0x140) returned 1 [0027.592] GetProcessHeap () returned 0x4e0000 [0027.592] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x5306d0 | out: hHeap=0x4e0000) returned 1 [0027.592] FindNextFileW (in: hFindFile=0x535aa0, lpFindFileData=0x2d8f580 | out: lpFindFileData=0x2d8f580*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0f9880, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac276640, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac276640, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x650052, dwReserved1=0x790063, cFileName="Fonts", cAlternateFileName="")) returned 1 [0027.592] lstrcmpiW (lpString1="Fonts", lpString2="Windows") returned -1 [0027.592] lstrcmpiW (lpString1="Fonts", lpString2="$Recycle.bin") returned 1 [0027.592] lstrcmpiW (lpString1="Fonts", lpString2="System Volume Information") returned -1 [0027.592] lstrcmpiW (lpString1="Fonts", lpString2="Program Files") returned -1 [0027.592] lstrcmpiW (lpString1="Fonts", lpString2="Program Files (x86)") returned -1 [0027.592] wnsprintfW (in: pszDest=0x542af8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\Fonts") returned 17 [0027.592] lstrcmpW (lpString1="Fonts", lpString2=".") returned 1 [0027.592] lstrcmpW (lpString1="Fonts", lpString2="..") returned 1 [0027.592] lstrcmpW (lpString1="\\\\?\\C:\\Boot\\Fonts", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0027.592] GetProcessHeap () returned 0x4e0000 [0027.592] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x400) returned 0x5306d0 [0027.592] wnsprintfW (in: pszDest=0x5306d0, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Boot\\Fonts\\*") returned 19 [0027.592] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Boot\\Fonts\\*", lpFindFileData=0x2d8f2f8 | out: lpFindFileData=0x2d8f2f8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0f9880, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac276640, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac276640, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5306c8, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x535ae0 [0027.598] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0027.598] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0027.598] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0027.598] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0027.598] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0027.598] wnsprintfW (in: pszDest=0x5306d0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\Fonts\\.") returned 19 [0027.598] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0027.598] FindNextFileW (in: hFindFile=0x535ae0, lpFindFileData=0x2d8f2f8 | out: lpFindFileData=0x2d8f2f8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0f9880, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac276640, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac276640, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5306c8, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0027.598] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0027.598] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0027.598] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0027.598] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0027.598] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0027.598] wnsprintfW (in: pszDest=0x5306d0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\Fonts\\..") returned 20 [0027.598] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0027.598] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0027.598] FindNextFileW (in: hFindFile=0x535ae0, lpFindFileData=0x2d8f2f8 | out: lpFindFileData=0x2d8f2f8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac0f9880, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0f9880, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0x64c5ad69, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0x385e00, dwReserved0=0x5306c8, dwReserved1=0x0, cFileName="chs_boot.ttf", cAlternateFileName="")) returned 1 [0027.598] lstrcmpiW (lpString1="chs_boot.ttf", lpString2="Windows") returned -1 [0027.598] lstrcmpiW (lpString1="chs_boot.ttf", lpString2="$Recycle.bin") returned 1 [0027.598] lstrcmpiW (lpString1="chs_boot.ttf", lpString2="System Volume Information") returned -1 [0027.598] lstrcmpiW (lpString1="chs_boot.ttf", lpString2="Program Files") returned -1 [0027.598] lstrcmpiW (lpString1="chs_boot.ttf", lpString2="Program Files (x86)") returned -1 [0027.598] wnsprintfW (in: pszDest=0x5306d0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\Fonts\\chs_boot.ttf") returned 30 [0027.598] StrStrIW (lpFirst="chs_boot.ttf", lpSrch=".for") returned 0x0 [0027.598] lstrcmpW (lpString1="chs_boot.ttf", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0027.598] lstrcmpW (lpString1="chs_boot.ttf", lpString2="taridd") returned -1 [0027.598] StrCmpNW (lpStr1="\\\\?\\C:\\Boot\\Fonts\\chs_boot.ttf", lpStr2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\3pRMMVYZl7L6YCH05Qf1aBB2Nvhrv3", nChar=122) returned -1 [0027.598] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\Fonts\\chs_boot.ttf" (normalized: "c:\\boot\\fonts\\chs_boot.ttf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0027.598] FindNextFileW (in: hFindFile=0x535ae0, lpFindFileData=0x2d8f2f8 | out: lpFindFileData=0x2d8f2f8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac191e00, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac191e00, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0x6505f253, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0x3b27a4, dwReserved0=0x5306c8, dwReserved1=0x0, cFileName="cht_boot.ttf", cAlternateFileName="")) returned 1 [0027.598] lstrcmpiW (lpString1="cht_boot.ttf", lpString2="Windows") returned -1 [0027.599] lstrcmpiW (lpString1="cht_boot.ttf", lpString2="$Recycle.bin") returned 1 [0027.599] lstrcmpiW (lpString1="cht_boot.ttf", lpString2="System Volume Information") returned -1 [0027.599] lstrcmpiW (lpString1="cht_boot.ttf", lpString2="Program Files") returned -1 [0027.599] lstrcmpiW (lpString1="cht_boot.ttf", lpString2="Program Files (x86)") returned -1 [0027.599] wnsprintfW (in: pszDest=0x5306d0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\Fonts\\cht_boot.ttf") returned 30 [0027.599] StrStrIW (lpFirst="cht_boot.ttf", lpSrch=".for") returned 0x0 [0027.599] lstrcmpW (lpString1="cht_boot.ttf", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0027.599] lstrcmpW (lpString1="cht_boot.ttf", lpString2="taridd") returned -1 [0027.599] StrCmpNW (lpStr1="\\\\?\\C:\\Boot\\Fonts\\cht_boot.ttf", lpStr2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\3pRMMVYZl7L6YCH05Qf1aBB2Nvhrv3", nChar=122) returned -1 [0027.599] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\Fonts\\cht_boot.ttf" (normalized: "c:\\boot\\fonts\\cht_boot.ttf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0027.649] FindNextFileW (in: hFindFile=0x535ae0, lpFindFileData=0x2d8f2f8 | out: lpFindFileData=0x2d8f2f8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac204220, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac204220, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0x65274577, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0x1e46e4, dwReserved0=0x5306c8, dwReserved1=0x0, cFileName="jpn_boot.ttf", cAlternateFileName="")) returned 1 [0027.649] lstrcmpiW (lpString1="jpn_boot.ttf", lpString2="Windows") returned -1 [0027.649] lstrcmpiW (lpString1="jpn_boot.ttf", lpString2="$Recycle.bin") returned 1 [0028.395] lstrcmpiW (lpString1="jpn_boot.ttf", lpString2="System Volume Information") returned -1 [0028.395] lstrcmpiW (lpString1="jpn_boot.ttf", lpString2="Program Files") returned -1 [0028.395] lstrcmpiW (lpString1="jpn_boot.ttf", lpString2="Program Files (x86)") returned -1 [0028.395] wnsprintfW (in: pszDest=0x5306d0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\Fonts\\jpn_boot.ttf") returned 30 [0028.395] StrStrIW (lpFirst="jpn_boot.ttf", lpSrch=".for") returned 0x0 [0028.395] lstrcmpW (lpString1="jpn_boot.ttf", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0028.395] lstrcmpW (lpString1="jpn_boot.ttf", lpString2="taridd") returned -1 [0028.395] StrCmpNW (lpStr1="\\\\?\\C:\\Boot\\Fonts\\jpn_boot.ttf", lpStr2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\3pRMMVYZl7L6YCH05Qf1aBB2Nvhrv3", nChar=122) returned -1 [0028.395] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\Fonts\\jpn_boot.ttf" (normalized: "c:\\boot\\fonts\\jpn_boot.ttf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0028.395] FindNextFileW (in: hFindFile=0x535ae0, lpFindFileData=0x2d8f2f8 | out: lpFindFileData=0x2d8f2f8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac22a380, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac22a380, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0x6530caef, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0x242f20, dwReserved0=0x5306c8, dwReserved1=0x0, cFileName="kor_boot.ttf", cAlternateFileName="")) returned 1 [0028.396] lstrcmpiW (lpString1="kor_boot.ttf", lpString2="Windows") returned -1 [0028.396] lstrcmpiW (lpString1="kor_boot.ttf", lpString2="$Recycle.bin") returned 1 [0028.396] lstrcmpiW (lpString1="kor_boot.ttf", lpString2="System Volume Information") returned -1 [0028.396] lstrcmpiW (lpString1="kor_boot.ttf", lpString2="Program Files") returned -1 [0028.396] lstrcmpiW (lpString1="kor_boot.ttf", lpString2="Program Files (x86)") returned -1 [0028.396] wnsprintfW (in: pszDest=0x5306d0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\Fonts\\kor_boot.ttf") returned 30 [0028.396] StrStrIW (lpFirst="kor_boot.ttf", lpSrch=".for") returned 0x0 [0028.396] lstrcmpW (lpString1="kor_boot.ttf", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0028.396] lstrcmpW (lpString1="kor_boot.ttf", lpString2="taridd") returned -1 [0028.396] StrCmpNW (lpStr1="\\\\?\\C:\\Boot\\Fonts\\kor_boot.ttf", lpStr2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\3pRMMVYZl7L6YCH05Qf1aBB2Nvhrv3", nChar=122) returned -1 [0028.396] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\Fonts\\kor_boot.ttf" (normalized: "c:\\boot\\fonts\\kor_boot.ttf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0028.396] FindNextFileW (in: hFindFile=0x535ae0, lpFindFileData=0x2d8f2f8 | out: lpFindFileData=0x2d8f2f8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac276640, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac276640, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0x65332c4d, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0xb95c, dwReserved0=0x5306c8, dwReserved1=0x0, cFileName="wgl4_boot.ttf", cAlternateFileName="WGL4_B~1.TTF")) returned 1 [0028.396] lstrcmpiW (lpString1="wgl4_boot.ttf", lpString2="Windows") returned -1 [0028.396] lstrcmpiW (lpString1="wgl4_boot.ttf", lpString2="$Recycle.bin") returned 1 [0028.396] lstrcmpiW (lpString1="wgl4_boot.ttf", lpString2="System Volume Information") returned 1 [0028.396] lstrcmpiW (lpString1="wgl4_boot.ttf", lpString2="Program Files") returned 1 [0028.396] lstrcmpiW (lpString1="wgl4_boot.ttf", lpString2="Program Files (x86)") returned 1 [0028.396] wnsprintfW (in: pszDest=0x5306d0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\Fonts\\wgl4_boot.ttf") returned 31 [0028.396] StrStrIW (lpFirst="wgl4_boot.ttf", lpSrch=".for") returned 0x0 [0028.396] lstrcmpW (lpString1="wgl4_boot.ttf", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0028.396] lstrcmpW (lpString1="wgl4_boot.ttf", lpString2="taridd") returned 1 [0028.396] StrCmpNW (lpStr1="\\\\?\\C:\\Boot\\Fonts\\wgl4_boot.ttf", lpStr2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\3pRMMVYZl7L6YCH05Qf1aBB2Nvhrv3", nChar=122) returned -1 [0028.396] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\Fonts\\wgl4_boot.ttf" (normalized: "c:\\boot\\fonts\\wgl4_boot.ttf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0028.396] FindNextFileW (in: hFindFile=0x535ae0, lpFindFileData=0x2d8f2f8 | out: lpFindFileData=0x2d8f2f8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac276640, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac276640, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0x65332c4d, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0xb95c, dwReserved0=0x5306c8, dwReserved1=0x0, cFileName="wgl4_boot.ttf", cAlternateFileName="WGL4_B~1.TTF")) returned 0 [0028.396] FindClose (in: hFindFile=0x535ae0 | out: hFindFile=0x535ae0) returned 1 [0028.396] wnsprintfW (in: pszDest=0x5306d0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\Fonts\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 49 [0028.396] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\Fonts\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\boot\\fonts\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x140 [0028.439] WriteFile (in: hFile=0x140, lpBuffer=0x186440*, nNumberOfBytesToWrite=0x2b0, lpNumberOfBytesWritten=0x2d8f2c4, lpOverlapped=0x0 | out: lpBuffer=0x186440*, lpNumberOfBytesWritten=0x2d8f2c4*=0x2b0, lpOverlapped=0x0) returned 1 [0028.442] CloseHandle (hObject=0x140) returned 1 [0028.442] GetProcessHeap () returned 0x4e0000 [0028.442] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x5306d0 | out: hHeap=0x4e0000) returned 1 [0028.442] FindNextFileW (in: hFindFile=0x535aa0, lpFindFileData=0x2d8f580 | out: lpFindFileData=0x2d8f580*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac061300, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac061300, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x650052, dwReserved1=0x790063, cFileName="fr-FR", cAlternateFileName="")) returned 1 [0028.442] lstrcmpiW (lpString1="fr-FR", lpString2="Windows") returned -1 [0028.442] lstrcmpiW (lpString1="fr-FR", lpString2="$Recycle.bin") returned 1 [0028.442] lstrcmpiW (lpString1="fr-FR", lpString2="System Volume Information") returned -1 [0028.442] lstrcmpiW (lpString1="fr-FR", lpString2="Program Files") returned -1 [0028.442] lstrcmpiW (lpString1="fr-FR", lpString2="Program Files (x86)") returned -1 [0028.442] wnsprintfW (in: pszDest=0x542af8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\fr-FR") returned 17 [0028.443] lstrcmpW (lpString1="fr-FR", lpString2=".") returned 1 [0028.443] lstrcmpW (lpString1="fr-FR", lpString2="..") returned 1 [0028.443] lstrcmpW (lpString1="\\\\?\\C:\\Boot\\fr-FR", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0028.443] GetProcessHeap () returned 0x4e0000 [0028.443] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x400) returned 0x5306d0 [0028.443] wnsprintfW (in: pszDest=0x5306d0, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Boot\\fr-FR\\*") returned 19 [0028.443] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Boot\\fr-FR\\*", lpFindFileData=0x2d8f2f8 | out: lpFindFileData=0x2d8f2f8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac061300, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac061300, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5306c8, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x535ae0 [0028.446] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0028.446] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0028.446] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0028.446] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0028.446] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0028.446] wnsprintfW (in: pszDest=0x5306d0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\fr-FR\\.") returned 19 [0028.446] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0028.446] FindNextFileW (in: hFindFile=0x535ae0, lpFindFileData=0x2d8f2f8 | out: lpFindFileData=0x2d8f2f8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac061300, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac061300, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5306c8, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0028.446] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0028.446] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0028.446] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0028.446] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0028.446] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0028.446] wnsprintfW (in: pszDest=0x5306d0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\fr-FR\\..") returned 20 [0028.446] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0028.446] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0028.446] FindNextFileW (in: hFindFile=0x535ae0, lpFindFileData=0x2d8f2f8 | out: lpFindFileData=0x2d8f2f8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac061300, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe86b3703, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x16c40, dwReserved0=0x5306c8, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0028.446] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Windows") returned -1 [0028.446] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="$Recycle.bin") returned 1 [0028.446] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="System Volume Information") returned -1 [0028.446] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Program Files") returned -1 [0028.446] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Program Files (x86)") returned -1 [0028.446] wnsprintfW (in: pszDest=0x5306d0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\fr-FR\\bootmgr.exe.mui") returned 33 [0028.446] StrStrIW (lpFirst="bootmgr.exe.mui", lpSrch=".for") returned 0x0 [0028.446] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0028.446] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="taridd") returned -1 [0028.446] StrCmpNW (lpStr1="\\\\?\\C:\\Boot\\fr-FR\\bootmgr.exe.mui", lpStr2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\3pRMMVYZl7L6YCH05Qf1aBB2Nvhrv3", nChar=122) returned -1 [0028.446] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\fr-FR\\bootmgr.exe.mui" (normalized: "c:\\boot\\fr-fr\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0028.446] FindNextFileW (in: hFindFile=0x535ae0, lpFindFileData=0x2d8f2f8 | out: lpFindFileData=0x2d8f2f8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac061300, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe86b3703, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x16c40, dwReserved0=0x5306c8, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 0 [0028.447] FindClose (in: hFindFile=0x535ae0 | out: hFindFile=0x535ae0) returned 1 [0028.447] wnsprintfW (in: pszDest=0x5306d0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\fr-FR\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 49 [0028.447] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\fr-FR\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\boot\\fr-fr\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x140 [0028.447] WriteFile (in: hFile=0x140, lpBuffer=0x186440*, nNumberOfBytesToWrite=0x2b0, lpNumberOfBytesWritten=0x2d8f2c4, lpOverlapped=0x0 | out: lpBuffer=0x186440*, lpNumberOfBytesWritten=0x2d8f2c4*=0x2b0, lpOverlapped=0x0) returned 1 [0028.448] CloseHandle (hObject=0x140) returned 1 [0028.448] GetProcessHeap () returned 0x4e0000 [0028.448] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x5306d0 | out: hHeap=0x4e0000) returned 1 [0028.448] FindNextFileW (in: hFindFile=0x535aa0, lpFindFileData=0x2d8f580 | out: lpFindFileData=0x2d8f580*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac061300, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac061300, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x650052, dwReserved1=0x790063, cFileName="hu-HU", cAlternateFileName="")) returned 1 [0028.448] lstrcmpiW (lpString1="hu-HU", lpString2="Windows") returned -1 [0028.448] lstrcmpiW (lpString1="hu-HU", lpString2="$Recycle.bin") returned 1 [0028.448] lstrcmpiW (lpString1="hu-HU", lpString2="System Volume Information") returned -1 [0028.448] lstrcmpiW (lpString1="hu-HU", lpString2="Program Files") returned -1 [0028.448] lstrcmpiW (lpString1="hu-HU", lpString2="Program Files (x86)") returned -1 [0028.448] wnsprintfW (in: pszDest=0x542af8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\hu-HU") returned 17 [0028.448] lstrcmpW (lpString1="hu-HU", lpString2=".") returned 1 [0028.448] lstrcmpW (lpString1="hu-HU", lpString2="..") returned 1 [0028.448] lstrcmpW (lpString1="\\\\?\\C:\\Boot\\hu-HU", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0028.448] GetProcessHeap () returned 0x4e0000 [0028.448] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x400) returned 0x5306d0 [0028.448] wnsprintfW (in: pszDest=0x5306d0, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Boot\\hu-HU\\*") returned 19 [0028.448] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Boot\\hu-HU\\*", lpFindFileData=0x2d8f2f8 | out: lpFindFileData=0x2d8f2f8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac061300, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac061300, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5306c8, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x535ae0 [0028.449] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0028.449] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0028.449] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0028.449] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0028.449] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0028.449] wnsprintfW (in: pszDest=0x5306d0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\hu-HU\\.") returned 19 [0028.449] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0028.449] FindNextFileW (in: hFindFile=0x535ae0, lpFindFileData=0x2d8f2f8 | out: lpFindFileData=0x2d8f2f8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac061300, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac061300, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5306c8, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0028.449] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0028.449] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0028.449] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0028.449] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0028.449] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0028.449] wnsprintfW (in: pszDest=0x5306d0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\hu-HU\\..") returned 20 [0028.449] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0028.449] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0028.449] FindNextFileW (in: hFindFile=0x535ae0, lpFindFileData=0x2d8f2f8 | out: lpFindFileData=0x2d8f2f8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac061300, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe817e7d8, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x16240, dwReserved0=0x5306c8, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0028.449] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Windows") returned -1 [0028.449] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="$Recycle.bin") returned 1 [0028.449] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="System Volume Information") returned -1 [0028.449] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Program Files") returned -1 [0028.449] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Program Files (x86)") returned -1 [0028.449] wnsprintfW (in: pszDest=0x5306d0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\hu-HU\\bootmgr.exe.mui") returned 33 [0028.449] StrStrIW (lpFirst="bootmgr.exe.mui", lpSrch=".for") returned 0x0 [0028.449] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0028.449] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="taridd") returned -1 [0028.450] StrCmpNW (lpStr1="\\\\?\\C:\\Boot\\hu-HU\\bootmgr.exe.mui", lpStr2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\3pRMMVYZl7L6YCH05Qf1aBB2Nvhrv3", nChar=122) returned -1 [0028.450] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\hu-HU\\bootmgr.exe.mui" (normalized: "c:\\boot\\hu-hu\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0028.450] FindNextFileW (in: hFindFile=0x535ae0, lpFindFileData=0x2d8f2f8 | out: lpFindFileData=0x2d8f2f8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac061300, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe817e7d8, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x16240, dwReserved0=0x5306c8, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 0 [0028.450] FindClose (in: hFindFile=0x535ae0 | out: hFindFile=0x535ae0) returned 1 [0028.450] wnsprintfW (in: pszDest=0x5306d0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\hu-HU\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 49 [0028.450] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\hu-HU\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\boot\\hu-hu\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x140 [0028.450] WriteFile (in: hFile=0x140, lpBuffer=0x186440*, nNumberOfBytesToWrite=0x2b0, lpNumberOfBytesWritten=0x2d8f2c4, lpOverlapped=0x0 | out: lpBuffer=0x186440*, lpNumberOfBytesWritten=0x2d8f2c4*=0x2b0, lpOverlapped=0x0) returned 1 [0028.451] CloseHandle (hObject=0x140) returned 1 [0028.451] GetProcessHeap () returned 0x4e0000 [0028.451] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x5306d0 | out: hHeap=0x4e0000) returned 1 [0028.451] FindNextFileW (in: hFindFile=0x535aa0, lpFindFileData=0x2d8f580 | out: lpFindFileData=0x2d8f580*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac061300, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac061300, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x650052, dwReserved1=0x790063, cFileName="it-IT", cAlternateFileName="")) returned 1 [0028.451] lstrcmpiW (lpString1="it-IT", lpString2="Windows") returned -1 [0028.451] lstrcmpiW (lpString1="it-IT", lpString2="$Recycle.bin") returned 1 [0028.451] lstrcmpiW (lpString1="it-IT", lpString2="System Volume Information") returned -1 [0028.451] lstrcmpiW (lpString1="it-IT", lpString2="Program Files") returned -1 [0028.451] lstrcmpiW (lpString1="it-IT", lpString2="Program Files (x86)") returned -1 [0028.451] wnsprintfW (in: pszDest=0x542af8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\it-IT") returned 17 [0028.451] lstrcmpW (lpString1="it-IT", lpString2=".") returned 1 [0028.451] lstrcmpW (lpString1="it-IT", lpString2="..") returned 1 [0028.451] lstrcmpW (lpString1="\\\\?\\C:\\Boot\\it-IT", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0028.451] GetProcessHeap () returned 0x4e0000 [0028.451] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x400) returned 0x511b40 [0028.451] wnsprintfW (in: pszDest=0x511b40, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Boot\\it-IT\\*") returned 19 [0028.451] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Boot\\it-IT\\*", lpFindFileData=0x2d8f2f8 | out: lpFindFileData=0x2d8f2f8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac061300, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac061300, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5306c8, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x535ae0 [0028.453] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0028.453] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0028.453] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0028.453] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0028.453] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0028.453] wnsprintfW (in: pszDest=0x511b40, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\it-IT\\.") returned 19 [0028.453] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0028.453] FindNextFileW (in: hFindFile=0x535ae0, lpFindFileData=0x2d8f2f8 | out: lpFindFileData=0x2d8f2f8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac061300, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac061300, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5306c8, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0028.453] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0028.453] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0028.453] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0028.453] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0028.454] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0028.454] wnsprintfW (in: pszDest=0x511b40, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\it-IT\\..") returned 20 [0028.454] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0028.454] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0028.454] FindNextFileW (in: hFindFile=0x535ae0, lpFindFileData=0x2d8f2f8 | out: lpFindFileData=0x2d8f2f8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac061300, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe9e80ea3, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x16250, dwReserved0=0x5306c8, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0028.454] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Windows") returned -1 [0028.454] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="$Recycle.bin") returned 1 [0028.454] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="System Volume Information") returned -1 [0028.454] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Program Files") returned -1 [0028.454] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Program Files (x86)") returned -1 [0028.454] wnsprintfW (in: pszDest=0x511b40, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\it-IT\\bootmgr.exe.mui") returned 33 [0028.454] StrStrIW (lpFirst="bootmgr.exe.mui", lpSrch=".for") returned 0x0 [0028.454] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0028.454] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="taridd") returned -1 [0028.454] StrCmpNW (lpStr1="\\\\?\\C:\\Boot\\it-IT\\bootmgr.exe.mui", lpStr2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\3pRMMVYZl7L6YCH05Qf1aBB2Nvhrv3", nChar=122) returned -1 [0028.454] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\it-IT\\bootmgr.exe.mui" (normalized: "c:\\boot\\it-it\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0028.454] FindNextFileW (in: hFindFile=0x535ae0, lpFindFileData=0x2d8f2f8 | out: lpFindFileData=0x2d8f2f8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac061300, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe9e80ea3, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x16250, dwReserved0=0x5306c8, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 0 [0028.454] FindClose (in: hFindFile=0x535ae0 | out: hFindFile=0x535ae0) returned 1 [0028.454] wnsprintfW (in: pszDest=0x511b40, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\it-IT\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 49 [0028.454] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\it-IT\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\boot\\it-it\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x140 [0028.455] WriteFile (in: hFile=0x140, lpBuffer=0x186440*, nNumberOfBytesToWrite=0x2b0, lpNumberOfBytesWritten=0x2d8f2c4, lpOverlapped=0x0 | out: lpBuffer=0x186440*, lpNumberOfBytesWritten=0x2d8f2c4*=0x2b0, lpOverlapped=0x0) returned 1 [0028.455] CloseHandle (hObject=0x140) returned 1 [0028.456] GetProcessHeap () returned 0x4e0000 [0028.456] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x511b40 | out: hHeap=0x4e0000) returned 1 [0028.456] FindNextFileW (in: hFindFile=0x535aa0, lpFindFileData=0x2d8f580 | out: lpFindFileData=0x2d8f580*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac087460, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac087460, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac087460, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x650052, dwReserved1=0x790063, cFileName="ja-JP", cAlternateFileName="")) returned 1 [0028.456] lstrcmpiW (lpString1="ja-JP", lpString2="Windows") returned -1 [0028.456] lstrcmpiW (lpString1="ja-JP", lpString2="$Recycle.bin") returned 1 [0028.456] lstrcmpiW (lpString1="ja-JP", lpString2="System Volume Information") returned -1 [0028.456] lstrcmpiW (lpString1="ja-JP", lpString2="Program Files") returned -1 [0028.456] lstrcmpiW (lpString1="ja-JP", lpString2="Program Files (x86)") returned -1 [0028.456] wnsprintfW (in: pszDest=0x542af8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\ja-JP") returned 17 [0028.456] lstrcmpW (lpString1="ja-JP", lpString2=".") returned 1 [0028.456] lstrcmpW (lpString1="ja-JP", lpString2="..") returned 1 [0028.456] lstrcmpW (lpString1="\\\\?\\C:\\Boot\\ja-JP", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0028.456] GetProcessHeap () returned 0x4e0000 [0028.456] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x400) returned 0x511b40 [0028.456] wnsprintfW (in: pszDest=0x511b40, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Boot\\ja-JP\\*") returned 19 [0028.456] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Boot\\ja-JP\\*", lpFindFileData=0x2d8f2f8 | out: lpFindFileData=0x2d8f2f8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac087460, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac087460, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac087460, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5306c8, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x535ae0 [0028.456] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0028.456] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0028.456] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0028.456] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0028.456] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0028.456] wnsprintfW (in: pszDest=0x511b40, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\ja-JP\\.") returned 19 [0028.457] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0028.457] FindNextFileW (in: hFindFile=0x535ae0, lpFindFileData=0x2d8f2f8 | out: lpFindFileData=0x2d8f2f8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac087460, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac087460, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac087460, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5306c8, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0028.457] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0028.457] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0028.457] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0028.457] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0028.457] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0028.457] wnsprintfW (in: pszDest=0x511b40, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\ja-JP\\..") returned 20 [0028.457] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0028.457] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0028.457] FindNextFileW (in: hFindFile=0x535ae0, lpFindFileData=0x2d8f2f8 | out: lpFindFileData=0x2d8f2f8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac087460, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac087460, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe8216d3c, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x12a40, dwReserved0=0x5306c8, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0028.457] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Windows") returned -1 [0028.457] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="$Recycle.bin") returned 1 [0028.457] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="System Volume Information") returned -1 [0028.457] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Program Files") returned -1 [0028.457] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Program Files (x86)") returned -1 [0028.457] wnsprintfW (in: pszDest=0x511b40, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\ja-JP\\bootmgr.exe.mui") returned 33 [0028.457] StrStrIW (lpFirst="bootmgr.exe.mui", lpSrch=".for") returned 0x0 [0028.457] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0028.457] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="taridd") returned -1 [0028.457] StrCmpNW (lpStr1="\\\\?\\C:\\Boot\\ja-JP\\bootmgr.exe.mui", lpStr2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\3pRMMVYZl7L6YCH05Qf1aBB2Nvhrv3", nChar=122) returned -1 [0028.457] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\ja-JP\\bootmgr.exe.mui" (normalized: "c:\\boot\\ja-jp\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0028.457] FindNextFileW (in: hFindFile=0x535ae0, lpFindFileData=0x2d8f2f8 | out: lpFindFileData=0x2d8f2f8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac087460, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac087460, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe8216d3c, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x12a40, dwReserved0=0x5306c8, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 0 [0028.457] FindClose (in: hFindFile=0x535ae0 | out: hFindFile=0x535ae0) returned 1 [0028.457] wnsprintfW (in: pszDest=0x511b40, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\ja-JP\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 49 [0028.457] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\ja-JP\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\boot\\ja-jp\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x140 [0028.458] WriteFile (in: hFile=0x140, lpBuffer=0x186440*, nNumberOfBytesToWrite=0x2b0, lpNumberOfBytesWritten=0x2d8f2c4, lpOverlapped=0x0 | out: lpBuffer=0x186440*, lpNumberOfBytesWritten=0x2d8f2c4*=0x2b0, lpOverlapped=0x0) returned 1 [0028.459] CloseHandle (hObject=0x140) returned 1 [0028.459] GetProcessHeap () returned 0x4e0000 [0028.459] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x511b40 | out: hHeap=0x4e0000) returned 1 [0028.459] FindNextFileW (in: hFindFile=0x535aa0, lpFindFileData=0x2d8f580 | out: lpFindFileData=0x2d8f580*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac087460, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac087460, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac087460, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x650052, dwReserved1=0x790063, cFileName="ko-KR", cAlternateFileName="")) returned 1 [0028.459] lstrcmpiW (lpString1="ko-KR", lpString2="Windows") returned -1 [0028.459] lstrcmpiW (lpString1="ko-KR", lpString2="$Recycle.bin") returned 1 [0028.459] lstrcmpiW (lpString1="ko-KR", lpString2="System Volume Information") returned -1 [0028.459] lstrcmpiW (lpString1="ko-KR", lpString2="Program Files") returned -1 [0028.459] lstrcmpiW (lpString1="ko-KR", lpString2="Program Files (x86)") returned -1 [0028.459] wnsprintfW (in: pszDest=0x542af8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\ko-KR") returned 17 [0028.459] lstrcmpW (lpString1="ko-KR", lpString2=".") returned 1 [0028.459] lstrcmpW (lpString1="ko-KR", lpString2="..") returned 1 [0028.459] lstrcmpW (lpString1="\\\\?\\C:\\Boot\\ko-KR", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0028.459] GetProcessHeap () returned 0x4e0000 [0028.459] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x400) returned 0x511b40 [0028.459] wnsprintfW (in: pszDest=0x511b40, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Boot\\ko-KR\\*") returned 19 [0028.459] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Boot\\ko-KR\\*", lpFindFileData=0x2d8f2f8 | out: lpFindFileData=0x2d8f2f8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac087460, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac087460, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac087460, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5306c8, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x535ae0 [0028.462] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0028.462] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0028.462] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0028.462] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0028.462] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0028.462] wnsprintfW (in: pszDest=0x511b40, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\ko-KR\\.") returned 19 [0028.462] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0028.462] FindNextFileW (in: hFindFile=0x535ae0, lpFindFileData=0x2d8f2f8 | out: lpFindFileData=0x2d8f2f8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac087460, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac087460, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac087460, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5306c8, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0028.462] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0028.462] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0028.462] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0028.462] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0028.462] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0028.462] wnsprintfW (in: pszDest=0x511b40, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\ko-KR\\..") returned 20 [0028.462] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0028.462] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0028.462] FindNextFileW (in: hFindFile=0x535ae0, lpFindFileData=0x2d8f2f8 | out: lpFindFileData=0x2d8f2f8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac087460, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac087460, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe8510830, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x12650, dwReserved0=0x5306c8, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0028.462] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Windows") returned -1 [0028.462] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="$Recycle.bin") returned 1 [0028.462] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="System Volume Information") returned -1 [0028.462] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Program Files") returned -1 [0028.462] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Program Files (x86)") returned -1 [0028.462] wnsprintfW (in: pszDest=0x511b40, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\ko-KR\\bootmgr.exe.mui") returned 33 [0028.462] StrStrIW (lpFirst="bootmgr.exe.mui", lpSrch=".for") returned 0x0 [0028.462] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0028.462] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="taridd") returned -1 [0028.462] StrCmpNW (lpStr1="\\\\?\\C:\\Boot\\ko-KR\\bootmgr.exe.mui", lpStr2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\3pRMMVYZl7L6YCH05Qf1aBB2Nvhrv3", nChar=122) returned -1 [0028.463] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\ko-KR\\bootmgr.exe.mui" (normalized: "c:\\boot\\ko-kr\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0028.463] FindNextFileW (in: hFindFile=0x535ae0, lpFindFileData=0x2d8f2f8 | out: lpFindFileData=0x2d8f2f8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac087460, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac087460, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe8510830, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x12650, dwReserved0=0x5306c8, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 0 [0028.463] FindClose (in: hFindFile=0x535ae0 | out: hFindFile=0x535ae0) returned 1 [0028.463] wnsprintfW (in: pszDest=0x511b40, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\ko-KR\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 49 [0028.463] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\ko-KR\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\boot\\ko-kr\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x140 [0028.463] WriteFile (in: hFile=0x140, lpBuffer=0x186440*, nNumberOfBytesToWrite=0x2b0, lpNumberOfBytesWritten=0x2d8f2c4, lpOverlapped=0x0 | out: lpBuffer=0x186440*, lpNumberOfBytesWritten=0x2d8f2c4*=0x2b0, lpOverlapped=0x0) returned 1 [0028.464] CloseHandle (hObject=0x140) returned 1 [0028.464] GetProcessHeap () returned 0x4e0000 [0028.464] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x511b40 | out: hHeap=0x4e0000) returned 1 [0028.464] FindNextFileW (in: hFindFile=0x535aa0, lpFindFileData=0x2d8f580 | out: lpFindFileData=0x2d8f580*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac087460, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac087460, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0x8bc7dbfe, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x76980, dwReserved0=0x650052, dwReserved1=0x790063, cFileName="memtest.exe", cAlternateFileName="")) returned 1 [0028.464] lstrcmpiW (lpString1="memtest.exe", lpString2="Windows") returned -1 [0028.464] lstrcmpiW (lpString1="memtest.exe", lpString2="$Recycle.bin") returned 1 [0028.464] lstrcmpiW (lpString1="memtest.exe", lpString2="System Volume Information") returned -1 [0028.464] lstrcmpiW (lpString1="memtest.exe", lpString2="Program Files") returned -1 [0028.464] lstrcmpiW (lpString1="memtest.exe", lpString2="Program Files (x86)") returned -1 [0028.464] wnsprintfW (in: pszDest=0x542af8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\memtest.exe") returned 23 [0028.464] StrStrIW (lpFirst="memtest.exe", lpSrch=".for") returned 0x0 [0028.464] lstrcmpW (lpString1="memtest.exe", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0028.464] lstrcmpW (lpString1="memtest.exe", lpString2="taridd") returned -1 [0028.464] StrCmpNW (lpStr1="\\\\?\\C:\\Boot\\memtest.exe", lpStr2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\3pRMMVYZl7L6YCH05Qf1aBB2Nvhrv3", nChar=122) returned -1 [0028.464] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\memtest.exe" (normalized: "c:\\boot\\memtest.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0028.464] FindNextFileW (in: hFindFile=0x535aa0, lpFindFileData=0x2d8f580 | out: lpFindFileData=0x2d8f580*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac087460, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0ad5c0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0ad5c0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x650052, dwReserved1=0x790063, cFileName="nb-NO", cAlternateFileName="")) returned 1 [0028.465] lstrcmpiW (lpString1="nb-NO", lpString2="Windows") returned -1 [0028.465] lstrcmpiW (lpString1="nb-NO", lpString2="$Recycle.bin") returned 1 [0028.465] lstrcmpiW (lpString1="nb-NO", lpString2="System Volume Information") returned -1 [0028.465] lstrcmpiW (lpString1="nb-NO", lpString2="Program Files") returned -1 [0028.465] lstrcmpiW (lpString1="nb-NO", lpString2="Program Files (x86)") returned -1 [0028.465] wnsprintfW (in: pszDest=0x542af8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\nb-NO") returned 17 [0028.465] lstrcmpW (lpString1="nb-NO", lpString2=".") returned 1 [0028.465] lstrcmpW (lpString1="nb-NO", lpString2="..") returned 1 [0028.465] lstrcmpW (lpString1="\\\\?\\C:\\Boot\\nb-NO", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0028.465] GetProcessHeap () returned 0x4e0000 [0028.465] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x400) returned 0x511b40 [0028.465] wnsprintfW (in: pszDest=0x511b40, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Boot\\nb-NO\\*") returned 19 [0028.465] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Boot\\nb-NO\\*", lpFindFileData=0x2d8f2f8 | out: lpFindFileData=0x2d8f2f8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac087460, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0ad5c0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0ad5c0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x535ae0 [0028.465] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0028.465] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0028.465] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0028.465] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0028.465] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0028.465] wnsprintfW (in: pszDest=0x511b40, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\nb-NO\\.") returned 19 [0028.465] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0028.465] FindNextFileW (in: hFindFile=0x535ae0, lpFindFileData=0x2d8f2f8 | out: lpFindFileData=0x2d8f2f8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac087460, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0ad5c0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0ad5c0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0028.465] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0028.465] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0028.465] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0028.465] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0028.465] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0028.466] wnsprintfW (in: pszDest=0x511b40, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\nb-NO\\..") returned 20 [0028.466] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0028.466] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0028.466] FindNextFileW (in: hFindFile=0x535ae0, lpFindFileData=0x2d8f2f8 | out: lpFindFileData=0x2d8f2f8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac0ad5c0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0ad5c0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xea212efb, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x15850, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0028.466] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Windows") returned -1 [0028.466] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="$Recycle.bin") returned 1 [0028.466] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="System Volume Information") returned -1 [0028.466] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Program Files") returned -1 [0028.466] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Program Files (x86)") returned -1 [0028.466] wnsprintfW (in: pszDest=0x511b40, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\nb-NO\\bootmgr.exe.mui") returned 33 [0028.466] StrStrIW (lpFirst="bootmgr.exe.mui", lpSrch=".for") returned 0x0 [0028.466] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0028.466] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="taridd") returned -1 [0028.466] StrCmpNW (lpStr1="\\\\?\\C:\\Boot\\nb-NO\\bootmgr.exe.mui", lpStr2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\3pRMMVYZl7L6YCH05Qf1aBB2Nvhrv3", nChar=122) returned -1 [0028.466] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\nb-NO\\bootmgr.exe.mui" (normalized: "c:\\boot\\nb-no\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0028.502] FindNextFileW (in: hFindFile=0x535ae0, lpFindFileData=0x2d8f2f8 | out: lpFindFileData=0x2d8f2f8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac0ad5c0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0ad5c0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xea212efb, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x15850, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 0 [0028.502] FindClose (in: hFindFile=0x535ae0 | out: hFindFile=0x535ae0) returned 1 [0028.502] wnsprintfW (in: pszDest=0x511b40, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\nb-NO\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 49 [0028.502] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\nb-NO\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\boot\\nb-no\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x140 [0028.502] WriteFile (in: hFile=0x140, lpBuffer=0x186440*, nNumberOfBytesToWrite=0x2b0, lpNumberOfBytesWritten=0x2d8f2c4, lpOverlapped=0x0 | out: lpBuffer=0x186440*, lpNumberOfBytesWritten=0x2d8f2c4*=0x2b0, lpOverlapped=0x0) returned 1 [0028.503] CloseHandle (hObject=0x140) returned 1 [0028.503] GetProcessHeap () returned 0x4e0000 [0028.503] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x511b40 | out: hHeap=0x4e0000) returned 1 [0028.503] FindNextFileW (in: hFindFile=0x535aa0, lpFindFileData=0x2d8f580 | out: lpFindFileData=0x2d8f580*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0ad5c0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0ad5c0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0ad5c0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x650052, dwReserved1=0x790063, cFileName="nl-NL", cAlternateFileName="")) returned 1 [0028.503] lstrcmpiW (lpString1="nl-NL", lpString2="Windows") returned -1 [0028.503] lstrcmpiW (lpString1="nl-NL", lpString2="$Recycle.bin") returned 1 [0028.503] lstrcmpiW (lpString1="nl-NL", lpString2="System Volume Information") returned -1 [0028.503] lstrcmpiW (lpString1="nl-NL", lpString2="Program Files") returned -1 [0028.503] lstrcmpiW (lpString1="nl-NL", lpString2="Program Files (x86)") returned -1 [0028.503] wnsprintfW (in: pszDest=0x542af8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\nl-NL") returned 17 [0028.503] lstrcmpW (lpString1="nl-NL", lpString2=".") returned 1 [0028.503] lstrcmpW (lpString1="nl-NL", lpString2="..") returned 1 [0028.503] lstrcmpW (lpString1="\\\\?\\C:\\Boot\\nl-NL", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0028.503] GetProcessHeap () returned 0x4e0000 [0028.504] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x400) returned 0x511b40 [0028.504] wnsprintfW (in: pszDest=0x511b40, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Boot\\nl-NL\\*") returned 19 [0028.504] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Boot\\nl-NL\\*", lpFindFileData=0x2d8f2f8 | out: lpFindFileData=0x2d8f2f8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0ad5c0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0ad5c0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0ad5c0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x535ae0 [0028.504] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0028.504] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0028.504] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0028.504] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0028.504] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0028.504] wnsprintfW (in: pszDest=0x511b40, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\nl-NL\\.") returned 19 [0028.504] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0028.504] FindNextFileW (in: hFindFile=0x535ae0, lpFindFileData=0x2d8f2f8 | out: lpFindFileData=0x2d8f2f8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0ad5c0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0ad5c0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0ad5c0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0028.504] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0028.504] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0028.504] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0028.504] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0028.504] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0028.504] wnsprintfW (in: pszDest=0x511b40, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\nl-NL\\..") returned 20 [0028.504] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0028.504] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0028.504] FindNextFileW (in: hFindFile=0x535ae0, lpFindFileData=0x2d8f2f8 | out: lpFindFileData=0x2d8f2f8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac0ad5c0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0ad5c0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe84c457e, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x16250, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0028.504] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Windows") returned -1 [0028.504] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="$Recycle.bin") returned 1 [0028.504] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="System Volume Information") returned -1 [0028.504] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Program Files") returned -1 [0028.504] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Program Files (x86)") returned -1 [0028.505] wnsprintfW (in: pszDest=0x511b40, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\nl-NL\\bootmgr.exe.mui") returned 33 [0028.505] StrStrIW (lpFirst="bootmgr.exe.mui", lpSrch=".for") returned 0x0 [0028.505] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0028.505] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="taridd") returned -1 [0028.505] StrCmpNW (lpStr1="\\\\?\\C:\\Boot\\nl-NL\\bootmgr.exe.mui", lpStr2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\3pRMMVYZl7L6YCH05Qf1aBB2Nvhrv3", nChar=122) returned -1 [0028.505] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\nl-NL\\bootmgr.exe.mui" (normalized: "c:\\boot\\nl-nl\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0028.505] FindNextFileW (in: hFindFile=0x535ae0, lpFindFileData=0x2d8f2f8 | out: lpFindFileData=0x2d8f2f8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac0ad5c0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0ad5c0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe84c457e, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x16250, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 0 [0028.505] FindClose (in: hFindFile=0x535ae0 | out: hFindFile=0x535ae0) returned 1 [0028.505] wnsprintfW (in: pszDest=0x511b40, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\nl-NL\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 49 [0028.505] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\nl-NL\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\boot\\nl-nl\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x140 [0028.505] WriteFile (in: hFile=0x140, lpBuffer=0x186440*, nNumberOfBytesToWrite=0x2b0, lpNumberOfBytesWritten=0x2d8f2c4, lpOverlapped=0x0 | out: lpBuffer=0x186440*, lpNumberOfBytesWritten=0x2d8f2c4*=0x2b0, lpOverlapped=0x0) returned 1 [0028.506] CloseHandle (hObject=0x140) returned 1 [0028.506] GetProcessHeap () returned 0x4e0000 [0028.506] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x511b40 | out: hHeap=0x4e0000) returned 1 [0028.506] FindNextFileW (in: hFindFile=0x535aa0, lpFindFileData=0x2d8f580 | out: lpFindFileData=0x2d8f580*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0ad5c0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0ad5c0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0ad5c0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x650052, dwReserved1=0x790063, cFileName="pl-PL", cAlternateFileName="")) returned 1 [0028.506] lstrcmpiW (lpString1="pl-PL", lpString2="Windows") returned -1 [0028.506] lstrcmpiW (lpString1="pl-PL", lpString2="$Recycle.bin") returned 1 [0028.506] lstrcmpiW (lpString1="pl-PL", lpString2="System Volume Information") returned -1 [0028.506] lstrcmpiW (lpString1="pl-PL", lpString2="Program Files") returned -1 [0028.506] lstrcmpiW (lpString1="pl-PL", lpString2="Program Files (x86)") returned -1 [0028.506] wnsprintfW (in: pszDest=0x542af8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\pl-PL") returned 17 [0028.506] lstrcmpW (lpString1="pl-PL", lpString2=".") returned 1 [0028.506] lstrcmpW (lpString1="pl-PL", lpString2="..") returned 1 [0028.506] lstrcmpW (lpString1="\\\\?\\C:\\Boot\\pl-PL", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0028.507] GetProcessHeap () returned 0x4e0000 [0028.507] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x400) returned 0x511b40 [0028.507] wnsprintfW (in: pszDest=0x511b40, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Boot\\pl-PL\\*") returned 19 [0028.507] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Boot\\pl-PL\\*", lpFindFileData=0x2d8f2f8 | out: lpFindFileData=0x2d8f2f8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0ad5c0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0ad5c0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0ad5c0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x535ae0 [0028.507] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0028.507] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0028.507] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0028.507] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0028.507] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0028.507] wnsprintfW (in: pszDest=0x511b40, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\pl-PL\\.") returned 19 [0028.507] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0028.507] FindNextFileW (in: hFindFile=0x535ae0, lpFindFileData=0x2d8f2f8 | out: lpFindFileData=0x2d8f2f8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0ad5c0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0ad5c0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0ad5c0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0028.507] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0028.507] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0028.507] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0028.507] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0028.507] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0028.507] wnsprintfW (in: pszDest=0x511b40, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\pl-PL\\..") returned 20 [0028.507] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0028.507] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0028.507] FindNextFileW (in: hFindFile=0x535ae0, lpFindFileData=0x2d8f2f8 | out: lpFindFileData=0x2d8f2f8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac0ad5c0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0ad5c0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe9e5ad4a, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x16250, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0028.507] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Windows") returned -1 [0028.507] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="$Recycle.bin") returned 1 [0028.507] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="System Volume Information") returned -1 [0028.507] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Program Files") returned -1 [0028.508] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Program Files (x86)") returned -1 [0028.508] wnsprintfW (in: pszDest=0x511b40, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\pl-PL\\bootmgr.exe.mui") returned 33 [0028.508] StrStrIW (lpFirst="bootmgr.exe.mui", lpSrch=".for") returned 0x0 [0028.508] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0028.508] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="taridd") returned -1 [0028.508] StrCmpNW (lpStr1="\\\\?\\C:\\Boot\\pl-PL\\bootmgr.exe.mui", lpStr2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\3pRMMVYZl7L6YCH05Qf1aBB2Nvhrv3", nChar=122) returned -1 [0028.508] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\pl-PL\\bootmgr.exe.mui" (normalized: "c:\\boot\\pl-pl\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0028.511] FindNextFileW (in: hFindFile=0x535ae0, lpFindFileData=0x2d8f2f8 | out: lpFindFileData=0x2d8f2f8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac0ad5c0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0ad5c0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe9e5ad4a, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x16250, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 0 [0028.511] FindClose (in: hFindFile=0x535ae0 | out: hFindFile=0x535ae0) returned 1 [0028.511] wnsprintfW (in: pszDest=0x511b40, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\pl-PL\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 49 [0028.511] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\pl-PL\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\boot\\pl-pl\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x140 [0028.512] WriteFile (in: hFile=0x140, lpBuffer=0x186440*, nNumberOfBytesToWrite=0x2b0, lpNumberOfBytesWritten=0x2d8f2c4, lpOverlapped=0x0 | out: lpBuffer=0x186440*, lpNumberOfBytesWritten=0x2d8f2c4*=0x2b0, lpOverlapped=0x0) returned 1 [0028.512] CloseHandle (hObject=0x140) returned 1 [0028.513] GetProcessHeap () returned 0x4e0000 [0028.513] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x511b40 | out: hHeap=0x4e0000) returned 1 [0028.513] FindNextFileW (in: hFindFile=0x535aa0, lpFindFileData=0x2d8f580 | out: lpFindFileData=0x2d8f580*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0ad5c0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0ad5c0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0ad5c0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x650052, dwReserved1=0x790063, cFileName="pt-BR", cAlternateFileName="")) returned 1 [0028.513] lstrcmpiW (lpString1="pt-BR", lpString2="Windows") returned -1 [0028.513] lstrcmpiW (lpString1="pt-BR", lpString2="$Recycle.bin") returned 1 [0028.513] lstrcmpiW (lpString1="pt-BR", lpString2="System Volume Information") returned -1 [0028.513] lstrcmpiW (lpString1="pt-BR", lpString2="Program Files") returned 1 [0028.513] lstrcmpiW (lpString1="pt-BR", lpString2="Program Files (x86)") returned 1 [0028.513] wnsprintfW (in: pszDest=0x542af8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\pt-BR") returned 17 [0028.513] lstrcmpW (lpString1="pt-BR", lpString2=".") returned 1 [0028.513] lstrcmpW (lpString1="pt-BR", lpString2="..") returned 1 [0028.513] lstrcmpW (lpString1="\\\\?\\C:\\Boot\\pt-BR", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0028.513] GetProcessHeap () returned 0x4e0000 [0028.513] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x400) returned 0x511b40 [0028.513] wnsprintfW (in: pszDest=0x511b40, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Boot\\pt-BR\\*") returned 19 [0028.513] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Boot\\pt-BR\\*", lpFindFileData=0x2d8f2f8 | out: lpFindFileData=0x2d8f2f8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0ad5c0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0ad5c0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0ad5c0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x535ae0 [0028.521] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0028.521] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0028.521] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0028.521] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0028.521] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0028.522] wnsprintfW (in: pszDest=0x511b40, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\pt-BR\\.") returned 19 [0028.522] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0028.522] FindNextFileW (in: hFindFile=0x535ae0, lpFindFileData=0x2d8f2f8 | out: lpFindFileData=0x2d8f2f8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0ad5c0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0ad5c0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0ad5c0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0028.522] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0028.522] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0028.522] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0028.522] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0028.522] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0028.522] wnsprintfW (in: pszDest=0x511b40, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\pt-BR\\..") returned 20 [0028.522] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0028.522] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0028.522] FindNextFileW (in: hFindFile=0x535ae0, lpFindFileData=0x2d8f2f8 | out: lpFindFileData=0x2d8f2f8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac0ad5c0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0ad5c0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe83b9c0f, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x16040, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0028.522] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Windows") returned -1 [0028.522] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="$Recycle.bin") returned 1 [0028.522] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="System Volume Information") returned -1 [0028.522] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Program Files") returned -1 [0028.522] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Program Files (x86)") returned -1 [0028.522] wnsprintfW (in: pszDest=0x511b40, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\pt-BR\\bootmgr.exe.mui") returned 33 [0028.522] StrStrIW (lpFirst="bootmgr.exe.mui", lpSrch=".for") returned 0x0 [0028.522] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0028.522] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="taridd") returned -1 [0028.522] StrCmpNW (lpStr1="\\\\?\\C:\\Boot\\pt-BR\\bootmgr.exe.mui", lpStr2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\3pRMMVYZl7L6YCH05Qf1aBB2Nvhrv3", nChar=122) returned -1 [0028.522] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\pt-BR\\bootmgr.exe.mui" (normalized: "c:\\boot\\pt-br\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0028.522] FindNextFileW (in: hFindFile=0x535ae0, lpFindFileData=0x2d8f2f8 | out: lpFindFileData=0x2d8f2f8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac0ad5c0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0ad5c0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe83b9c0f, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x16040, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 0 [0028.522] FindClose (in: hFindFile=0x535ae0 | out: hFindFile=0x535ae0) returned 1 [0028.522] wnsprintfW (in: pszDest=0x511b40, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\pt-BR\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 49 [0028.523] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\pt-BR\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\boot\\pt-br\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x140 [0028.523] WriteFile (in: hFile=0x140, lpBuffer=0x186440*, nNumberOfBytesToWrite=0x2b0, lpNumberOfBytesWritten=0x2d8f2c4, lpOverlapped=0x0 | out: lpBuffer=0x186440*, lpNumberOfBytesWritten=0x2d8f2c4*=0x2b0, lpOverlapped=0x0) returned 1 [0028.524] CloseHandle (hObject=0x140) returned 1 [0028.524] GetProcessHeap () returned 0x4e0000 [0028.524] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x511b40 | out: hHeap=0x4e0000) returned 1 [0028.524] FindNextFileW (in: hFindFile=0x535aa0, lpFindFileData=0x2d8f580 | out: lpFindFileData=0x2d8f580*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0d3720, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0d3720, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0d3720, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x650052, dwReserved1=0x790063, cFileName="pt-PT", cAlternateFileName="")) returned 1 [0028.524] lstrcmpiW (lpString1="pt-PT", lpString2="Windows") returned -1 [0028.524] lstrcmpiW (lpString1="pt-PT", lpString2="$Recycle.bin") returned 1 [0028.524] lstrcmpiW (lpString1="pt-PT", lpString2="System Volume Information") returned -1 [0028.524] lstrcmpiW (lpString1="pt-PT", lpString2="Program Files") returned 1 [0028.524] lstrcmpiW (lpString1="pt-PT", lpString2="Program Files (x86)") returned 1 [0028.524] wnsprintfW (in: pszDest=0x542af8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\pt-PT") returned 17 [0028.524] lstrcmpW (lpString1="pt-PT", lpString2=".") returned 1 [0028.524] lstrcmpW (lpString1="pt-PT", lpString2="..") returned 1 [0028.524] lstrcmpW (lpString1="\\\\?\\C:\\Boot\\pt-PT", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0028.525] GetProcessHeap () returned 0x4e0000 [0028.525] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x400) returned 0x511b40 [0028.525] wnsprintfW (in: pszDest=0x511b40, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Boot\\pt-PT\\*") returned 19 [0028.525] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Boot\\pt-PT\\*", lpFindFileData=0x2d8f2f8 | out: lpFindFileData=0x2d8f2f8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0d3720, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0d3720, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0d3720, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x535ae0 [0028.525] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0028.525] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0028.525] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0028.525] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0028.525] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0028.525] wnsprintfW (in: pszDest=0x511b40, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\pt-PT\\.") returned 19 [0028.525] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0028.525] FindNextFileW (in: hFindFile=0x535ae0, lpFindFileData=0x2d8f2f8 | out: lpFindFileData=0x2d8f2f8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0d3720, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0d3720, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0d3720, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0028.525] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0028.525] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0028.525] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0028.525] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0028.525] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0028.525] wnsprintfW (in: pszDest=0x511b40, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\pt-PT\\..") returned 20 [0028.525] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0028.525] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0028.525] FindNextFileW (in: hFindFile=0x535ae0, lpFindFileData=0x2d8f2f8 | out: lpFindFileData=0x2d8f2f8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac0d3720, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0d3720, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe823ce95, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x15e40, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0028.525] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Windows") returned -1 [0028.525] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="$Recycle.bin") returned 1 [0028.525] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="System Volume Information") returned -1 [0028.526] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Program Files") returned -1 [0028.526] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Program Files (x86)") returned -1 [0028.526] wnsprintfW (in: pszDest=0x511b40, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\pt-PT\\bootmgr.exe.mui") returned 33 [0028.526] StrStrIW (lpFirst="bootmgr.exe.mui", lpSrch=".for") returned 0x0 [0028.526] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0028.526] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="taridd") returned -1 [0028.526] StrCmpNW (lpStr1="\\\\?\\C:\\Boot\\pt-PT\\bootmgr.exe.mui", lpStr2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\3pRMMVYZl7L6YCH05Qf1aBB2Nvhrv3", nChar=122) returned -1 [0028.526] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\pt-PT\\bootmgr.exe.mui" (normalized: "c:\\boot\\pt-pt\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0028.527] FindNextFileW (in: hFindFile=0x535ae0, lpFindFileData=0x2d8f2f8 | out: lpFindFileData=0x2d8f2f8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac0d3720, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0d3720, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe823ce95, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x15e40, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 0 [0028.527] FindClose (in: hFindFile=0x535ae0 | out: hFindFile=0x535ae0) returned 1 [0028.527] wnsprintfW (in: pszDest=0x511b40, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\pt-PT\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 49 [0028.527] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\pt-PT\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\boot\\pt-pt\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x140 [0028.527] WriteFile (in: hFile=0x140, lpBuffer=0x186440*, nNumberOfBytesToWrite=0x2b0, lpNumberOfBytesWritten=0x2d8f2c4, lpOverlapped=0x0 | out: lpBuffer=0x186440*, lpNumberOfBytesWritten=0x2d8f2c4*=0x2b0, lpOverlapped=0x0) returned 1 [0028.528] CloseHandle (hObject=0x140) returned 1 [0028.528] GetProcessHeap () returned 0x4e0000 [0028.528] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x511b40 | out: hHeap=0x4e0000) returned 1 [0028.528] FindNextFileW (in: hFindFile=0x535aa0, lpFindFileData=0x2d8f580 | out: lpFindFileData=0x2d8f580*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0d3720, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0d3720, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0d3720, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x650052, dwReserved1=0x790063, cFileName="ru-RU", cAlternateFileName="")) returned 1 [0028.528] lstrcmpiW (lpString1="ru-RU", lpString2="Windows") returned -1 [0028.528] lstrcmpiW (lpString1="ru-RU", lpString2="$Recycle.bin") returned 1 [0028.528] lstrcmpiW (lpString1="ru-RU", lpString2="System Volume Information") returned -1 [0028.528] lstrcmpiW (lpString1="ru-RU", lpString2="Program Files") returned 1 [0028.528] lstrcmpiW (lpString1="ru-RU", lpString2="Program Files (x86)") returned 1 [0028.528] wnsprintfW (in: pszDest=0x542af8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\ru-RU") returned 17 [0028.529] lstrcmpW (lpString1="ru-RU", lpString2=".") returned 1 [0028.529] lstrcmpW (lpString1="ru-RU", lpString2="..") returned 1 [0028.529] lstrcmpW (lpString1="\\\\?\\C:\\Boot\\ru-RU", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0028.529] GetProcessHeap () returned 0x4e0000 [0028.529] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x400) returned 0x511b40 [0028.529] wnsprintfW (in: pszDest=0x511b40, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Boot\\ru-RU\\*") returned 19 [0028.529] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Boot\\ru-RU\\*", lpFindFileData=0x2d8f2f8 | out: lpFindFileData=0x2d8f2f8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0d3720, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0d3720, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0d3720, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x535ae0 [0028.529] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0028.529] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0028.529] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0028.529] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0028.529] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0028.529] wnsprintfW (in: pszDest=0x511b40, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\ru-RU\\.") returned 19 [0028.529] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0028.529] FindNextFileW (in: hFindFile=0x535ae0, lpFindFileData=0x2d8f2f8 | out: lpFindFileData=0x2d8f2f8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0d3720, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0d3720, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0d3720, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0028.529] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0028.529] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0028.529] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0028.529] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0028.529] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0028.529] wnsprintfW (in: pszDest=0x511b40, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\ru-RU\\..") returned 20 [0028.529] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0028.529] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0028.529] FindNextFileW (in: hFindFile=0x535ae0, lpFindFileData=0x2d8f2f8 | out: lpFindFileData=0x2d8f2f8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac0d3720, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0d3720, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe88a2888, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x16050, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0028.529] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Windows") returned -1 [0028.529] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="$Recycle.bin") returned 1 [0028.530] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="System Volume Information") returned -1 [0028.530] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Program Files") returned -1 [0028.530] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Program Files (x86)") returned -1 [0028.530] wnsprintfW (in: pszDest=0x511b40, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\ru-RU\\bootmgr.exe.mui") returned 33 [0028.530] StrStrIW (lpFirst="bootmgr.exe.mui", lpSrch=".for") returned 0x0 [0028.530] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0028.530] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="taridd") returned -1 [0028.530] StrCmpNW (lpStr1="\\\\?\\C:\\Boot\\ru-RU\\bootmgr.exe.mui", lpStr2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\3pRMMVYZl7L6YCH05Qf1aBB2Nvhrv3", nChar=122) returned -1 [0028.530] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\ru-RU\\bootmgr.exe.mui" (normalized: "c:\\boot\\ru-ru\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0028.530] FindNextFileW (in: hFindFile=0x535ae0, lpFindFileData=0x2d8f2f8 | out: lpFindFileData=0x2d8f2f8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac0d3720, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0d3720, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe88a2888, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x16050, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 0 [0028.530] FindClose (in: hFindFile=0x535ae0 | out: hFindFile=0x535ae0) returned 1 [0028.530] wnsprintfW (in: pszDest=0x511b40, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\ru-RU\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 49 [0028.530] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\ru-RU\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\boot\\ru-ru\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x140 [0028.530] WriteFile (in: hFile=0x140, lpBuffer=0x186440*, nNumberOfBytesToWrite=0x2b0, lpNumberOfBytesWritten=0x2d8f2c4, lpOverlapped=0x0 | out: lpBuffer=0x186440*, lpNumberOfBytesWritten=0x2d8f2c4*=0x2b0, lpOverlapped=0x0) returned 1 [0028.531] CloseHandle (hObject=0x140) returned 1 [0028.531] GetProcessHeap () returned 0x4e0000 [0028.531] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x511b40 | out: hHeap=0x4e0000) returned 1 [0028.531] FindNextFileW (in: hFindFile=0x535aa0, lpFindFileData=0x2d8f580 | out: lpFindFileData=0x2d8f580*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0d3720, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0d3720, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0d3720, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x650052, dwReserved1=0x790063, cFileName="sv-SE", cAlternateFileName="")) returned 1 [0028.531] lstrcmpiW (lpString1="sv-SE", lpString2="Windows") returned -1 [0028.531] lstrcmpiW (lpString1="sv-SE", lpString2="$Recycle.bin") returned 1 [0028.531] lstrcmpiW (lpString1="sv-SE", lpString2="System Volume Information") returned -1 [0028.531] lstrcmpiW (lpString1="sv-SE", lpString2="Program Files") returned 1 [0028.531] lstrcmpiW (lpString1="sv-SE", lpString2="Program Files (x86)") returned 1 [0028.531] wnsprintfW (in: pszDest=0x542af8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\sv-SE") returned 17 [0028.532] lstrcmpW (lpString1="sv-SE", lpString2=".") returned 1 [0028.532] lstrcmpW (lpString1="sv-SE", lpString2="..") returned 1 [0028.532] lstrcmpW (lpString1="\\\\?\\C:\\Boot\\sv-SE", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0028.532] GetProcessHeap () returned 0x4e0000 [0028.532] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x400) returned 0x511b40 [0028.532] wnsprintfW (in: pszDest=0x511b40, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Boot\\sv-SE\\*") returned 19 [0028.532] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Boot\\sv-SE\\*", lpFindFileData=0x2d8f2f8 | out: lpFindFileData=0x2d8f2f8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0d3720, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0d3720, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0d3720, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x535ae0 [0028.532] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0028.532] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0028.532] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0028.533] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0028.533] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0028.533] wnsprintfW (in: pszDest=0x511b40, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\sv-SE\\.") returned 19 [0028.533] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0028.533] FindNextFileW (in: hFindFile=0x535ae0, lpFindFileData=0x2d8f2f8 | out: lpFindFileData=0x2d8f2f8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0d3720, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0d3720, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0d3720, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0028.533] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0028.533] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0028.533] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0028.533] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0028.533] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0028.533] wnsprintfW (in: pszDest=0x511b40, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\sv-SE\\..") returned 20 [0028.533] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0028.533] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0028.533] FindNextFileW (in: hFindFile=0x535ae0, lpFindFileData=0x2d8f2f8 | out: lpFindFileData=0x2d8f2f8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac0d3720, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0d3720, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe868d5aa, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x15640, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0028.533] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Windows") returned -1 [0028.533] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="$Recycle.bin") returned 1 [0028.533] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="System Volume Information") returned -1 [0028.533] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Program Files") returned -1 [0028.533] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Program Files (x86)") returned -1 [0028.533] wnsprintfW (in: pszDest=0x511b40, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\sv-SE\\bootmgr.exe.mui") returned 33 [0028.533] StrStrIW (lpFirst="bootmgr.exe.mui", lpSrch=".for") returned 0x0 [0028.533] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0028.533] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="taridd") returned -1 [0028.533] StrCmpNW (lpStr1="\\\\?\\C:\\Boot\\sv-SE\\bootmgr.exe.mui", lpStr2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\3pRMMVYZl7L6YCH05Qf1aBB2Nvhrv3", nChar=122) returned -1 [0028.533] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\sv-SE\\bootmgr.exe.mui" (normalized: "c:\\boot\\sv-se\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0028.541] FindNextFileW (in: hFindFile=0x535ae0, lpFindFileData=0x2d8f2f8 | out: lpFindFileData=0x2d8f2f8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac0d3720, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0d3720, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe868d5aa, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x15640, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 0 [0028.541] FindClose (in: hFindFile=0x535ae0 | out: hFindFile=0x535ae0) returned 1 [0028.541] wnsprintfW (in: pszDest=0x511b40, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\sv-SE\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 49 [0028.541] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\sv-SE\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\boot\\sv-se\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x140 [0028.541] WriteFile (in: hFile=0x140, lpBuffer=0x186440*, nNumberOfBytesToWrite=0x2b0, lpNumberOfBytesWritten=0x2d8f2c4, lpOverlapped=0x0 | out: lpBuffer=0x186440*, lpNumberOfBytesWritten=0x2d8f2c4*=0x2b0, lpOverlapped=0x0) returned 1 [0028.542] CloseHandle (hObject=0x140) returned 1 [0028.542] GetProcessHeap () returned 0x4e0000 [0028.542] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x511b40 | out: hHeap=0x4e0000) returned 1 [0028.542] FindNextFileW (in: hFindFile=0x535aa0, lpFindFileData=0x2d8f580 | out: lpFindFileData=0x2d8f580*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0d3720, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0d3720, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0d3720, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x650052, dwReserved1=0x790063, cFileName="tr-TR", cAlternateFileName="")) returned 1 [0028.542] lstrcmpiW (lpString1="tr-TR", lpString2="Windows") returned -1 [0028.542] lstrcmpiW (lpString1="tr-TR", lpString2="$Recycle.bin") returned 1 [0028.542] lstrcmpiW (lpString1="tr-TR", lpString2="System Volume Information") returned 1 [0028.542] lstrcmpiW (lpString1="tr-TR", lpString2="Program Files") returned 1 [0028.542] lstrcmpiW (lpString1="tr-TR", lpString2="Program Files (x86)") returned 1 [0028.542] wnsprintfW (in: pszDest=0x542af8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\tr-TR") returned 17 [0028.542] lstrcmpW (lpString1="tr-TR", lpString2=".") returned 1 [0028.542] lstrcmpW (lpString1="tr-TR", lpString2="..") returned 1 [0028.542] lstrcmpW (lpString1="\\\\?\\C:\\Boot\\tr-TR", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0028.542] GetProcessHeap () returned 0x4e0000 [0028.542] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x400) returned 0x511b40 [0028.542] wnsprintfW (in: pszDest=0x511b40, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Boot\\tr-TR\\*") returned 19 [0028.542] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Boot\\tr-TR\\*", lpFindFileData=0x2d8f2f8 | out: lpFindFileData=0x2d8f2f8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0d3720, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0d3720, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0d3720, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x535ae0 [0028.543] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0028.543] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0028.543] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0028.543] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0028.543] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0028.543] wnsprintfW (in: pszDest=0x511b40, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\tr-TR\\.") returned 19 [0028.543] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0028.543] FindNextFileW (in: hFindFile=0x535ae0, lpFindFileData=0x2d8f2f8 | out: lpFindFileData=0x2d8f2f8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0d3720, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0d3720, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0d3720, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0028.543] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0028.543] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0028.543] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0028.543] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0028.543] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0028.543] wnsprintfW (in: pszDest=0x511b40, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\tr-TR\\..") returned 20 [0028.543] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0028.543] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0028.543] FindNextFileW (in: hFindFile=0x535ae0, lpFindFileData=0x2d8f2f8 | out: lpFindFileData=0x2d8f2f8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac0d3720, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0d3720, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe8393ab6, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x15440, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0028.543] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Windows") returned -1 [0028.543] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="$Recycle.bin") returned 1 [0028.543] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="System Volume Information") returned -1 [0028.543] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Program Files") returned -1 [0028.543] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Program Files (x86)") returned -1 [0028.544] wnsprintfW (in: pszDest=0x511b40, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\tr-TR\\bootmgr.exe.mui") returned 33 [0028.544] StrStrIW (lpFirst="bootmgr.exe.mui", lpSrch=".for") returned 0x0 [0028.544] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0028.544] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="taridd") returned -1 [0028.544] StrCmpNW (lpStr1="\\\\?\\C:\\Boot\\tr-TR\\bootmgr.exe.mui", lpStr2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\3pRMMVYZl7L6YCH05Qf1aBB2Nvhrv3", nChar=122) returned -1 [0028.544] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\tr-TR\\bootmgr.exe.mui" (normalized: "c:\\boot\\tr-tr\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0028.544] FindNextFileW (in: hFindFile=0x535ae0, lpFindFileData=0x2d8f2f8 | out: lpFindFileData=0x2d8f2f8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac0d3720, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0d3720, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe8393ab6, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x15440, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 0 [0028.544] FindClose (in: hFindFile=0x535ae0 | out: hFindFile=0x535ae0) returned 1 [0028.544] wnsprintfW (in: pszDest=0x511b40, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\tr-TR\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 49 [0028.544] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\tr-TR\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\boot\\tr-tr\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x140 [0028.544] WriteFile (in: hFile=0x140, lpBuffer=0x186440*, nNumberOfBytesToWrite=0x2b0, lpNumberOfBytesWritten=0x2d8f2c4, lpOverlapped=0x0 | out: lpBuffer=0x186440*, lpNumberOfBytesWritten=0x2d8f2c4*=0x2b0, lpOverlapped=0x0) returned 1 [0028.545] CloseHandle (hObject=0x140) returned 1 [0028.545] GetProcessHeap () returned 0x4e0000 [0028.545] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x511b40 | out: hHeap=0x4e0000) returned 1 [0028.545] FindNextFileW (in: hFindFile=0x535aa0, lpFindFileData=0x2d8f580 | out: lpFindFileData=0x2d8f580*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0d3720, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0d3720, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0d3720, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x650052, dwReserved1=0x790063, cFileName="zh-CN", cAlternateFileName="")) returned 1 [0028.545] lstrcmpiW (lpString1="zh-CN", lpString2="Windows") returned 1 [0028.545] lstrcmpiW (lpString1="zh-CN", lpString2="$Recycle.bin") returned 1 [0028.545] lstrcmpiW (lpString1="zh-CN", lpString2="System Volume Information") returned 1 [0028.546] lstrcmpiW (lpString1="zh-CN", lpString2="Program Files") returned 1 [0028.546] lstrcmpiW (lpString1="zh-CN", lpString2="Program Files (x86)") returned 1 [0028.546] wnsprintfW (in: pszDest=0x542af8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\zh-CN") returned 17 [0028.546] lstrcmpW (lpString1="zh-CN", lpString2=".") returned 1 [0028.546] lstrcmpW (lpString1="zh-CN", lpString2="..") returned 1 [0028.546] lstrcmpW (lpString1="\\\\?\\C:\\Boot\\zh-CN", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0028.546] GetProcessHeap () returned 0x4e0000 [0028.546] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x400) returned 0x511b40 [0028.546] wnsprintfW (in: pszDest=0x511b40, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Boot\\zh-CN\\*") returned 19 [0028.546] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Boot\\zh-CN\\*", lpFindFileData=0x2d8f2f8 | out: lpFindFileData=0x2d8f2f8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0d3720, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0d3720, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0d3720, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x535ae0 [0028.546] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0028.546] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0028.546] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0028.546] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0028.546] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0028.546] wnsprintfW (in: pszDest=0x511b40, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\zh-CN\\.") returned 19 [0028.546] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0028.546] FindNextFileW (in: hFindFile=0x535ae0, lpFindFileData=0x2d8f2f8 | out: lpFindFileData=0x2d8f2f8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0d3720, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0d3720, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0d3720, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0028.546] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0028.546] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0028.546] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0028.546] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0028.546] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0028.546] wnsprintfW (in: pszDest=0x511b40, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\zh-CN\\..") returned 20 [0028.546] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0028.547] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0028.547] FindNextFileW (in: hFindFile=0x535ae0, lpFindFileData=0x2d8f2f8 | out: lpFindFileData=0x2d8f2f8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac0d3720, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0d3720, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe8725b0e, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x11440, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0028.547] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Windows") returned -1 [0028.547] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="$Recycle.bin") returned 1 [0028.547] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="System Volume Information") returned -1 [0028.547] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Program Files") returned -1 [0028.547] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Program Files (x86)") returned -1 [0028.547] wnsprintfW (in: pszDest=0x511b40, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\zh-CN\\bootmgr.exe.mui") returned 33 [0028.547] StrStrIW (lpFirst="bootmgr.exe.mui", lpSrch=".for") returned 0x0 [0028.547] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0028.547] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="taridd") returned -1 [0028.547] StrCmpNW (lpStr1="\\\\?\\C:\\Boot\\zh-CN\\bootmgr.exe.mui", lpStr2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\3pRMMVYZl7L6YCH05Qf1aBB2Nvhrv3", nChar=122) returned -1 [0028.547] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\zh-CN\\bootmgr.exe.mui" (normalized: "c:\\boot\\zh-cn\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0028.552] FindNextFileW (in: hFindFile=0x535ae0, lpFindFileData=0x2d8f2f8 | out: lpFindFileData=0x2d8f2f8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac0d3720, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0d3720, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe8725b0e, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x11440, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 0 [0028.552] FindClose (in: hFindFile=0x535ae0 | out: hFindFile=0x535ae0) returned 1 [0028.552] wnsprintfW (in: pszDest=0x511b40, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\zh-CN\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 49 [0028.552] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\zh-CN\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\boot\\zh-cn\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x140 [0028.552] WriteFile (in: hFile=0x140, lpBuffer=0x186440*, nNumberOfBytesToWrite=0x2b0, lpNumberOfBytesWritten=0x2d8f2c4, lpOverlapped=0x0 | out: lpBuffer=0x186440*, lpNumberOfBytesWritten=0x2d8f2c4*=0x2b0, lpOverlapped=0x0) returned 1 [0028.553] CloseHandle (hObject=0x140) returned 1 [0028.553] GetProcessHeap () returned 0x4e0000 [0028.553] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x511b40 | out: hHeap=0x4e0000) returned 1 [0028.553] FindNextFileW (in: hFindFile=0x535aa0, lpFindFileData=0x2d8f580 | out: lpFindFileData=0x2d8f580*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0f9880, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0f9880, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0f9880, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x650052, dwReserved1=0x790063, cFileName="zh-HK", cAlternateFileName="")) returned 1 [0028.553] lstrcmpiW (lpString1="zh-HK", lpString2="Windows") returned 1 [0028.553] lstrcmpiW (lpString1="zh-HK", lpString2="$Recycle.bin") returned 1 [0028.553] lstrcmpiW (lpString1="zh-HK", lpString2="System Volume Information") returned 1 [0028.553] lstrcmpiW (lpString1="zh-HK", lpString2="Program Files") returned 1 [0028.553] lstrcmpiW (lpString1="zh-HK", lpString2="Program Files (x86)") returned 1 [0028.553] wnsprintfW (in: pszDest=0x542af8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\zh-HK") returned 17 [0028.553] lstrcmpW (lpString1="zh-HK", lpString2=".") returned 1 [0028.553] lstrcmpW (lpString1="zh-HK", lpString2="..") returned 1 [0028.553] lstrcmpW (lpString1="\\\\?\\C:\\Boot\\zh-HK", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0028.553] GetProcessHeap () returned 0x4e0000 [0028.553] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x400) returned 0x511b40 [0028.553] wnsprintfW (in: pszDest=0x511b40, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Boot\\zh-HK\\*") returned 19 [0028.554] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Boot\\zh-HK\\*", lpFindFileData=0x2d8f2f8 | out: lpFindFileData=0x2d8f2f8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0f9880, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0f9880, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0f9880, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x535ae0 [0028.554] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0028.554] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0028.554] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0028.554] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0028.554] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0028.554] wnsprintfW (in: pszDest=0x511b40, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\zh-HK\\.") returned 19 [0028.554] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0028.554] FindNextFileW (in: hFindFile=0x535ae0, lpFindFileData=0x2d8f2f8 | out: lpFindFileData=0x2d8f2f8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0f9880, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0f9880, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0f9880, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0028.554] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0028.554] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0028.554] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0028.554] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0028.554] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0028.554] wnsprintfW (in: pszDest=0x511b40, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\zh-HK\\..") returned 20 [0028.554] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0028.554] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0028.554] FindNextFileW (in: hFindFile=0x535ae0, lpFindFileData=0x2d8f2f8 | out: lpFindFileData=0x2d8f2f8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac0f9880, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0f9880, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe88a2888, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x11250, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0028.554] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Windows") returned -1 [0028.554] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="$Recycle.bin") returned 1 [0028.554] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="System Volume Information") returned -1 [0028.554] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Program Files") returned -1 [0028.554] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Program Files (x86)") returned -1 [0028.554] wnsprintfW (in: pszDest=0x511b40, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\zh-HK\\bootmgr.exe.mui") returned 33 [0028.554] StrStrIW (lpFirst="bootmgr.exe.mui", lpSrch=".for") returned 0x0 [0028.554] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0028.555] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="taridd") returned -1 [0028.555] StrCmpNW (lpStr1="\\\\?\\C:\\Boot\\zh-HK\\bootmgr.exe.mui", lpStr2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\3pRMMVYZl7L6YCH05Qf1aBB2Nvhrv3", nChar=122) returned -1 [0028.555] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\zh-HK\\bootmgr.exe.mui" (normalized: "c:\\boot\\zh-hk\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0028.555] FindNextFileW (in: hFindFile=0x535ae0, lpFindFileData=0x2d8f2f8 | out: lpFindFileData=0x2d8f2f8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac0f9880, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0f9880, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe88a2888, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x11250, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 0 [0028.555] FindClose (in: hFindFile=0x535ae0 | out: hFindFile=0x535ae0) returned 1 [0028.555] wnsprintfW (in: pszDest=0x511b40, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\zh-HK\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 49 [0028.555] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\zh-HK\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\boot\\zh-hk\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x140 [0028.555] WriteFile (in: hFile=0x140, lpBuffer=0x186440*, nNumberOfBytesToWrite=0x2b0, lpNumberOfBytesWritten=0x2d8f2c4, lpOverlapped=0x0 | out: lpBuffer=0x186440*, lpNumberOfBytesWritten=0x2d8f2c4*=0x2b0, lpOverlapped=0x0) returned 1 [0028.556] CloseHandle (hObject=0x140) returned 1 [0028.556] GetProcessHeap () returned 0x4e0000 [0028.556] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x511b40 | out: hHeap=0x4e0000) returned 1 [0028.556] FindNextFileW (in: hFindFile=0x535aa0, lpFindFileData=0x2d8f580 | out: lpFindFileData=0x2d8f580*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0f9880, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0f9880, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0f9880, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x650052, dwReserved1=0x790063, cFileName="zh-TW", cAlternateFileName="")) returned 1 [0028.556] lstrcmpiW (lpString1="zh-TW", lpString2="Windows") returned 1 [0028.556] lstrcmpiW (lpString1="zh-TW", lpString2="$Recycle.bin") returned 1 [0028.556] lstrcmpiW (lpString1="zh-TW", lpString2="System Volume Information") returned 1 [0028.556] lstrcmpiW (lpString1="zh-TW", lpString2="Program Files") returned 1 [0028.556] lstrcmpiW (lpString1="zh-TW", lpString2="Program Files (x86)") returned 1 [0028.556] wnsprintfW (in: pszDest=0x542af8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\zh-TW") returned 17 [0028.556] lstrcmpW (lpString1="zh-TW", lpString2=".") returned 1 [0028.556] lstrcmpW (lpString1="zh-TW", lpString2="..") returned 1 [0028.556] lstrcmpW (lpString1="\\\\?\\C:\\Boot\\zh-TW", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0028.556] GetProcessHeap () returned 0x4e0000 [0028.556] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x400) returned 0x511b40 [0028.556] wnsprintfW (in: pszDest=0x511b40, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Boot\\zh-TW\\*") returned 19 [0028.556] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Boot\\zh-TW\\*", lpFindFileData=0x2d8f2f8 | out: lpFindFileData=0x2d8f2f8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0f9880, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0f9880, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0f9880, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x535ae0 [0028.557] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0028.557] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0028.557] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0028.557] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0028.557] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0028.557] wnsprintfW (in: pszDest=0x511b40, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\zh-TW\\.") returned 19 [0028.557] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0028.557] FindNextFileW (in: hFindFile=0x535ae0, lpFindFileData=0x2d8f2f8 | out: lpFindFileData=0x2d8f2f8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0f9880, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0f9880, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0f9880, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0028.557] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0028.557] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0028.557] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0028.557] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0028.557] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0028.557] wnsprintfW (in: pszDest=0x511b40, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\zh-TW\\..") returned 20 [0028.557] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0028.557] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0028.557] FindNextFileW (in: hFindFile=0x535ae0, lpFindFileData=0x2d8f2f8 | out: lpFindFileData=0x2d8f2f8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac0f9880, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0f9880, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe83216ab, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x11240, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0028.557] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Windows") returned -1 [0028.557] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="$Recycle.bin") returned 1 [0028.557] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="System Volume Information") returned -1 [0028.557] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Program Files") returned -1 [0028.557] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Program Files (x86)") returned -1 [0028.557] wnsprintfW (in: pszDest=0x511b40, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\zh-TW\\bootmgr.exe.mui") returned 33 [0028.557] StrStrIW (lpFirst="bootmgr.exe.mui", lpSrch=".for") returned 0x0 [0028.557] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0028.557] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="taridd") returned -1 [0028.557] StrCmpNW (lpStr1="\\\\?\\C:\\Boot\\zh-TW\\bootmgr.exe.mui", lpStr2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\3pRMMVYZl7L6YCH05Qf1aBB2Nvhrv3", nChar=122) returned -1 [0028.558] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\zh-TW\\bootmgr.exe.mui" (normalized: "c:\\boot\\zh-tw\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0028.558] FindNextFileW (in: hFindFile=0x535ae0, lpFindFileData=0x2d8f2f8 | out: lpFindFileData=0x2d8f2f8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac0f9880, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0f9880, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe83216ab, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x11240, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 0 [0028.558] FindClose (in: hFindFile=0x535ae0 | out: hFindFile=0x535ae0) returned 1 [0028.558] wnsprintfW (in: pszDest=0x511b40, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\zh-TW\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 49 [0028.558] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\zh-TW\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\boot\\zh-tw\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x140 [0028.558] WriteFile (in: hFile=0x140, lpBuffer=0x186440*, nNumberOfBytesToWrite=0x2b0, lpNumberOfBytesWritten=0x2d8f2c4, lpOverlapped=0x0 | out: lpBuffer=0x186440*, lpNumberOfBytesWritten=0x2d8f2c4*=0x2b0, lpOverlapped=0x0) returned 1 [0028.559] CloseHandle (hObject=0x140) returned 1 [0028.559] GetProcessHeap () returned 0x4e0000 [0028.559] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x511b40 | out: hHeap=0x4e0000) returned 1 [0028.559] FindNextFileW (in: hFindFile=0x535aa0, lpFindFileData=0x2d8f580 | out: lpFindFileData=0x2d8f580*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0f9880, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0f9880, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0f9880, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x650052, dwReserved1=0x790063, cFileName="zh-TW", cAlternateFileName="")) returned 0 [0028.559] FindClose (in: hFindFile=0x535aa0 | out: hFindFile=0x535aa0) returned 1 [0028.559] wnsprintfW (in: pszDest=0x542af8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 43 [0028.559] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\boot\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x148 [0028.559] WriteFile (in: hFile=0x148, lpBuffer=0x186440*, nNumberOfBytesToWrite=0x2b0, lpNumberOfBytesWritten=0x2d8f54c, lpOverlapped=0x0 | out: lpBuffer=0x186440*, lpNumberOfBytesWritten=0x2d8f54c*=0x2b0, lpOverlapped=0x0) returned 1 [0028.560] CloseHandle (hObject=0x148) returned 1 [0028.560] GetProcessHeap () returned 0x4e0000 [0028.560] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x542af8 | out: hHeap=0x4e0000) returned 1 [0028.560] FindNextFileW (in: hFindFile=0x535960, lpFindFileData=0x2d8f808 | out: lpFindFileData=0x2d8f808*(dwFileAttributes=0x27, ftCreationTime.dwLowDateTime=0xac0f9880, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0f9880, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0x84a3bb2c, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x5db2a, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr", cAlternateFileName="")) returned 1 [0028.560] lstrcmpiW (lpString1="bootmgr", lpString2="Windows") returned -1 [0028.561] lstrcmpiW (lpString1="bootmgr", lpString2="$Recycle.bin") returned 1 [0028.561] lstrcmpiW (lpString1="bootmgr", lpString2="System Volume Information") returned -1 [0028.561] lstrcmpiW (lpString1="bootmgr", lpString2="Program Files") returned -1 [0028.561] lstrcmpiW (lpString1="bootmgr", lpString2="Program Files (x86)") returned -1 [0028.561] wnsprintfW (in: pszDest=0x53f5e0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\bootmgr") returned 14 [0028.561] StrStrIW (lpFirst="bootmgr", lpSrch=".for") returned 0x0 [0028.561] lstrcmpW (lpString1="bootmgr", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0028.561] lstrcmpW (lpString1="bootmgr", lpString2="taridd") returned -1 [0028.561] StrCmpNW (lpStr1="\\\\?\\C:\\bootmgr", lpStr2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\3pRMMVYZl7L6YCH05Qf1aBB2Nvhrv3", nChar=122) returned -1 [0028.561] CreateFileW (lpFileName="\\\\?\\C:\\bootmgr" (normalized: "c:\\bootmgr"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0028.561] FindNextFileW (in: hFindFile=0x535960, lpFindFileData=0x2d8f808 | out: lpFindFileData=0x2d8f808*(dwFileAttributes=0x27, ftCreationTime.dwLowDateTime=0xac54a060, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac54a060, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac54a060, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0x0, dwReserved1=0x0, cFileName="BOOTSECT.BAK", cAlternateFileName="")) returned 1 [0028.561] lstrcmpiW (lpString1="BOOTSECT.BAK", lpString2="Windows") returned -1 [0028.561] lstrcmpiW (lpString1="BOOTSECT.BAK", lpString2="$Recycle.bin") returned 1 [0028.561] lstrcmpiW (lpString1="BOOTSECT.BAK", lpString2="System Volume Information") returned -1 [0028.561] lstrcmpiW (lpString1="BOOTSECT.BAK", lpString2="Program Files") returned -1 [0028.561] lstrcmpiW (lpString1="BOOTSECT.BAK", lpString2="Program Files (x86)") returned -1 [0028.561] wnsprintfW (in: pszDest=0x53f5e0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\BOOTSECT.BAK") returned 19 [0028.561] StrStrIW (lpFirst="BOOTSECT.BAK", lpSrch=".for") returned 0x0 [0028.561] lstrcmpW (lpString1="BOOTSECT.BAK", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0028.561] lstrcmpW (lpString1="BOOTSECT.BAK", lpString2="taridd") returned -1 [0028.561] StrCmpNW (lpStr1="\\\\?\\C:\\BOOTSECT.BAK", lpStr2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\3pRMMVYZl7L6YCH05Qf1aBB2Nvhrv3", nChar=122) returned -1 [0028.561] CreateFileW (lpFileName="\\\\?\\C:\\BOOTSECT.BAK" (normalized: "c:\\bootsect.bak"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0028.567] FindNextFileW (in: hFindFile=0x535960, lpFindFileData=0x2d8f808 | out: lpFindFileData=0x2d8f808*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xcd4f5c20, ftCreationTime.dwHighDateTime=0x1d305eb, ftLastAccessTime.dwLowDateTime=0xc182c7c0, ftLastAccessTime.dwHighDateTime=0x1d3373b, ftLastWriteTime.dwLowDateTime=0xc182c7c0, ftLastWriteTime.dwHighDateTime=0x1d3373b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Config.Msi", cAlternateFileName="")) returned 1 [0028.568] lstrcmpiW (lpString1="Config.Msi", lpString2="Windows") returned -1 [0028.568] lstrcmpiW (lpString1="Config.Msi", lpString2="$Recycle.bin") returned 1 [0028.568] lstrcmpiW (lpString1="Config.Msi", lpString2="System Volume Information") returned -1 [0028.568] lstrcmpiW (lpString1="Config.Msi", lpString2="Program Files") returned -1 [0028.568] lstrcmpiW (lpString1="Config.Msi", lpString2="Program Files (x86)") returned -1 [0028.568] wnsprintfW (in: pszDest=0x53f5e0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Config.Msi") returned 17 [0028.568] lstrcmpW (lpString1="Config.Msi", lpString2=".") returned 1 [0028.568] lstrcmpW (lpString1="Config.Msi", lpString2="..") returned 1 [0028.568] lstrcmpW (lpString1="\\\\?\\C:\\Config.Msi", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0028.568] GetProcessHeap () returned 0x4e0000 [0028.568] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x400) returned 0x511b40 [0028.568] wnsprintfW (in: pszDest=0x511b40, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Config.Msi\\*") returned 19 [0028.568] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Config.Msi\\*", lpFindFileData=0x2d8f580 | out: lpFindFileData=0x2d8f580*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xcd4f5c20, ftCreationTime.dwHighDateTime=0x1d305eb, ftLastAccessTime.dwLowDateTime=0xc182c7c0, ftLastAccessTime.dwHighDateTime=0x1d3373b, ftLastWriteTime.dwLowDateTime=0xc182c7c0, ftLastWriteTime.dwHighDateTime=0x1d3373b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x535aa0 [0028.568] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0028.568] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0028.568] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0028.568] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0028.568] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0028.568] wnsprintfW (in: pszDest=0x511b40, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Config.Msi\\.") returned 19 [0028.568] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0028.568] StrStrIW (lpFirst=".", lpSrch=".for") returned 0x0 [0028.568] lstrcmpW (lpString1=".", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned -1 [0028.568] lstrcmpW (lpString1=".", lpString2="taridd") returned -1 [0028.568] StrCmpNW (lpStr1="\\\\?\\C:\\Config.Msi\\.", lpStr2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\3pRMMVYZl7L6YCH05Qf1aBB2Nvhrv3", nChar=122) returned -1 [0028.569] CreateFileW (lpFileName="\\\\?\\C:\\Config.Msi\\." (normalized: "c:\\config.msi\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0028.569] FindNextFileW (in: hFindFile=0x535aa0, lpFindFileData=0x2d8f580 | out: lpFindFileData=0x2d8f580*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xcd4f5c20, ftCreationTime.dwHighDateTime=0x1d305eb, ftLastAccessTime.dwLowDateTime=0xc182c7c0, ftLastAccessTime.dwHighDateTime=0x1d3373b, ftLastWriteTime.dwLowDateTime=0xc182c7c0, ftLastWriteTime.dwHighDateTime=0x1d3373b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0028.569] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0028.569] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0028.569] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0028.569] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0028.569] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0028.569] wnsprintfW (in: pszDest=0x511b40, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Config.Msi\\..") returned 20 [0028.569] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0028.569] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0028.569] StrStrIW (lpFirst="..", lpSrch=".for") returned 0x0 [0028.569] lstrcmpW (lpString1="..", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned -1 [0028.569] lstrcmpW (lpString1="..", lpString2="taridd") returned -1 [0028.569] StrCmpNW (lpStr1="\\\\?\\C:\\Config.Msi\\..", lpStr2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\3pRMMVYZl7L6YCH05Qf1aBB2Nvhrv3", nChar=122) returned -1 [0028.569] CreateFileW (lpFileName="\\\\?\\C:\\Config.Msi\\.." (normalized: "c:"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0028.569] FindNextFileW (in: hFindFile=0x535aa0, lpFindFileData=0x2d8f580 | out: lpFindFileData=0x2d8f580*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xcd4f5c20, ftCreationTime.dwHighDateTime=0x1d305eb, ftLastAccessTime.dwLowDateTime=0xc182c7c0, ftLastAccessTime.dwHighDateTime=0x1d3373b, ftLastWriteTime.dwLowDateTime=0xc182c7c0, ftLastWriteTime.dwHighDateTime=0x1d3373b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0 [0028.569] FindClose (in: hFindFile=0x535aa0 | out: hFindFile=0x535aa0) returned 1 [0028.569] wnsprintfW (in: pszDest=0x511b40, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Config.Msi\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 49 [0028.569] CreateFileW (lpFileName="\\\\?\\C:\\Config.Msi\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\config.msi\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x148 [0028.570] WriteFile (in: hFile=0x148, lpBuffer=0x186440*, nNumberOfBytesToWrite=0x2b0, lpNumberOfBytesWritten=0x2d8f54c, lpOverlapped=0x0 | out: lpBuffer=0x186440*, lpNumberOfBytesWritten=0x2d8f54c*=0x2b0, lpOverlapped=0x0) returned 1 [0028.570] CloseHandle (hObject=0x148) returned 1 [0028.570] GetProcessHeap () returned 0x4e0000 [0028.570] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x511b40 | out: hHeap=0x4e0000) returned 1 [0028.571] FindNextFileW (in: hFindFile=0x535960, lpFindFileData=0x2d8f808 | out: lpFindFileData=0x2d8f808*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x307290f2, ftCreationTime.dwHighDateTime=0x1ca0441, ftLastAccessTime.dwLowDateTime=0x307290f2, ftLastAccessTime.dwHighDateTime=0x1ca0441, ftLastWriteTime.dwLowDateTime=0x307290f2, ftLastWriteTime.dwHighDateTime=0x1ca0441, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Documents and Settings", cAlternateFileName="DOCUME~1")) returned 1 [0028.571] lstrcmpiW (lpString1="Documents and Settings", lpString2="Windows") returned -1 [0028.571] lstrcmpiW (lpString1="Documents and Settings", lpString2="$Recycle.bin") returned 1 [0028.571] lstrcmpiW (lpString1="Documents and Settings", lpString2="System Volume Information") returned -1 [0028.571] lstrcmpiW (lpString1="Documents and Settings", lpString2="Program Files") returned -1 [0028.571] lstrcmpiW (lpString1="Documents and Settings", lpString2="Program Files (x86)") returned -1 [0028.571] wnsprintfW (in: pszDest=0x53f5e0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Documents and Settings") returned 29 [0028.571] lstrcmpW (lpString1="Documents and Settings", lpString2=".") returned 1 [0028.571] lstrcmpW (lpString1="Documents and Settings", lpString2="..") returned 1 [0028.571] lstrcmpW (lpString1="\\\\?\\C:\\Documents and Settings", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0028.571] GetProcessHeap () returned 0x4e0000 [0028.571] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x400) returned 0x511b40 [0028.571] wnsprintfW (in: pszDest=0x511b40, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Documents and Settings\\*") returned 31 [0028.571] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Documents and Settings\\*", lpFindFileData=0x2d8f580 | out: lpFindFileData=0x2d8f580*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xcd4f5c20, ftCreationTime.dwHighDateTime=0x1d305eb, ftLastAccessTime.dwLowDateTime=0xc182c7c0, ftLastAccessTime.dwHighDateTime=0x1d3373b, ftLastWriteTime.dwLowDateTime=0xc182c7c0, ftLastWriteTime.dwHighDateTime=0x1d3373b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0xffffffff [0028.571] GetProcessHeap () returned 0x4e0000 [0028.571] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x511b40 | out: hHeap=0x4e0000) returned 1 [0028.571] FindNextFileW (in: hFindFile=0x535960, lpFindFileData=0x2d8f808 | out: lpFindFileData=0x2d8f808*(dwFileAttributes=0x2026, ftCreationTime.dwLowDateTime=0x56257dc0, ftCreationTime.dwHighDateTime=0x1d2de2a, ftLastAccessTime.dwLowDateTime=0x56257dc0, ftLastAccessTime.dwHighDateTime=0x1d2de2a, ftLastWriteTime.dwLowDateTime=0x813b7be0, ftLastWriteTime.dwHighDateTime=0x1d4d5ae, nFileSizeHigh=0x0, nFileSizeLow=0x5ff9d000, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="hiberfil.sys", cAlternateFileName="")) returned 1 [0028.571] lstrcmpiW (lpString1="hiberfil.sys", lpString2="Windows") returned -1 [0028.571] lstrcmpiW (lpString1="hiberfil.sys", lpString2="$Recycle.bin") returned 1 [0028.571] lstrcmpiW (lpString1="hiberfil.sys", lpString2="System Volume Information") returned -1 [0028.571] lstrcmpiW (lpString1="hiberfil.sys", lpString2="Program Files") returned -1 [0028.571] lstrcmpiW (lpString1="hiberfil.sys", lpString2="Program Files (x86)") returned -1 [0028.571] wnsprintfW (in: pszDest=0x53f5e0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\hiberfil.sys") returned 19 [0028.571] StrStrIW (lpFirst="hiberfil.sys", lpSrch=".for") returned 0x0 [0028.571] lstrcmpW (lpString1="hiberfil.sys", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0028.572] lstrcmpW (lpString1="hiberfil.sys", lpString2="taridd") returned -1 [0028.572] StrCmpNW (lpStr1="\\\\?\\C:\\hiberfil.sys", lpStr2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\3pRMMVYZl7L6YCH05Qf1aBB2Nvhrv3", nChar=122) returned -1 [0028.572] CreateFileW (lpFileName="\\\\?\\C:\\hiberfil.sys" (normalized: "c:\\hiberfil.sys"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0028.572] FindNextFileW (in: hFindFile=0x535960, lpFindFileData=0x2d8f808 | out: lpFindFileData=0x2d8f808*(dwFileAttributes=0x2013, ftCreationTime.dwLowDateTime=0xe7b42810, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xe7b42810, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xe7b42810, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="MSOCache", cAlternateFileName="")) returned 1 [0028.572] lstrcmpiW (lpString1="MSOCache", lpString2="Windows") returned -1 [0028.572] lstrcmpiW (lpString1="MSOCache", lpString2="$Recycle.bin") returned 1 [0028.572] lstrcmpiW (lpString1="MSOCache", lpString2="System Volume Information") returned -1 [0028.572] lstrcmpiW (lpString1="MSOCache", lpString2="Program Files") returned -1 [0028.572] lstrcmpiW (lpString1="MSOCache", lpString2="Program Files (x86)") returned -1 [0028.572] wnsprintfW (in: pszDest=0x53f5e0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache") returned 15 [0028.572] lstrcmpW (lpString1="MSOCache", lpString2=".") returned 1 [0028.572] lstrcmpW (lpString1="MSOCache", lpString2="..") returned 1 [0028.572] lstrcmpW (lpString1="\\\\?\\C:\\MSOCache", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0028.572] GetProcessHeap () returned 0x4e0000 [0028.572] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x400) returned 0x511b40 [0028.572] wnsprintfW (in: pszDest=0x511b40, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\MSOCache\\*") returned 17 [0028.572] FindFirstFileW (in: lpFileName="\\\\?\\C:\\MSOCache\\*", lpFindFileData=0x2d8f580 | out: lpFindFileData=0x2d8f580*(dwFileAttributes=0x2013, ftCreationTime.dwLowDateTime=0xe7b42810, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xe7b42810, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xe7b42810, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x535aa0 [0028.572] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0028.572] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0028.572] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0028.572] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0028.572] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0028.573] wnsprintfW (in: pszDest=0x511b40, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\.") returned 17 [0028.573] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0028.573] StrStrIW (lpFirst=".", lpSrch=".for") returned 0x0 [0028.573] lstrcmpW (lpString1=".", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned -1 [0028.573] lstrcmpW (lpString1=".", lpString2="taridd") returned -1 [0028.573] StrCmpNW (lpStr1="\\\\?\\C:\\MSOCache\\.", lpStr2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\3pRMMVYZl7L6YCH05Qf1aBB2Nvhrv3", nChar=122) returned -1 [0028.573] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\." (normalized: "c:\\msocache\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0028.573] FindNextFileW (in: hFindFile=0x535aa0, lpFindFileData=0x2d8f580 | out: lpFindFileData=0x2d8f580*(dwFileAttributes=0x2013, ftCreationTime.dwLowDateTime=0xe7b42810, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xe7b42810, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xe7b42810, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0028.573] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0028.573] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0028.573] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0028.573] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0028.573] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0028.573] wnsprintfW (in: pszDest=0x511b40, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\..") returned 18 [0028.573] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0028.573] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0028.573] StrStrIW (lpFirst="..", lpSrch=".for") returned 0x0 [0028.573] lstrcmpW (lpString1="..", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned -1 [0028.573] lstrcmpW (lpString1="..", lpString2="taridd") returned -1 [0028.573] StrCmpNW (lpStr1="\\\\?\\C:\\MSOCache\\..", lpStr2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\3pRMMVYZl7L6YCH05Qf1aBB2Nvhrv3", nChar=122) returned -1 [0028.573] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\.." (normalized: "c:"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0028.573] FindNextFileW (in: hFindFile=0x535aa0, lpFindFileData=0x2d8f580 | out: lpFindFileData=0x2d8f580*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xe7b42810, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xa5cd3a40, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xa5cd3a40, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="All Users", cAlternateFileName="ALLUSE~1")) returned 1 [0028.573] lstrcmpiW (lpString1="All Users", lpString2="Windows") returned -1 [0028.573] lstrcmpiW (lpString1="All Users", lpString2="$Recycle.bin") returned 1 [0028.573] lstrcmpiW (lpString1="All Users", lpString2="System Volume Information") returned -1 [0028.573] lstrcmpiW (lpString1="All Users", lpString2="Program Files") returned -1 [0028.573] lstrcmpiW (lpString1="All Users", lpString2="Program Files (x86)") returned -1 [0028.573] wnsprintfW (in: pszDest=0x511b40, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users") returned 25 [0028.573] lstrcmpW (lpString1="All Users", lpString2=".") returned 1 [0028.573] lstrcmpW (lpString1="All Users", lpString2="..") returned 1 [0028.574] lstrcmpW (lpString1="\\\\?\\C:\\MSOCache\\All Users", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0028.574] GetProcessHeap () returned 0x4e0000 [0028.574] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x400) returned 0x542af8 [0028.574] wnsprintfW (in: pszDest=0x542af8, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\*") returned 27 [0028.574] FindFirstFileW (in: lpFileName="\\\\?\\C:\\MSOCache\\All Users\\*", lpFindFileData=0x2d8f2f8 | out: lpFindFileData=0x2d8f2f8*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xe7b42810, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xa5cd3a40, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xa5cd3a40, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x535ae0 [0028.635] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0028.635] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0028.635] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0028.635] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0028.635] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0028.635] wnsprintfW (in: pszDest=0x542af8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\.") returned 27 [0028.635] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0028.635] StrStrIW (lpFirst=".", lpSrch=".for") returned 0x0 [0028.635] lstrcmpW (lpString1=".", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned -1 [0028.636] lstrcmpW (lpString1=".", lpString2="taridd") returned -1 [0028.636] StrCmpNW (lpStr1="\\\\?\\C:\\MSOCache\\All Users\\.", lpStr2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\3pRMMVYZl7L6YCH05Qf1aBB2Nvhrv3", nChar=122) returned -1 [0028.636] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\." (normalized: "c:\\msocache\\all users\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0028.636] FindNextFileW (in: hFindFile=0x535ae0, lpFindFileData=0x2d8f2f8 | out: lpFindFileData=0x2d8f2f8*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xe7b42810, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xa5cd3a40, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xa5cd3a40, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0028.655] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0028.655] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0028.655] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0028.655] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0028.655] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0028.655] wnsprintfW (in: pszDest=0x542af8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\..") returned 28 [0028.655] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0028.655] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0028.655] StrStrIW (lpFirst="..", lpSrch=".for") returned 0x0 [0028.655] lstrcmpW (lpString1="..", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned -1 [0028.655] lstrcmpW (lpString1="..", lpString2="taridd") returned -1 [0028.655] StrCmpNW (lpStr1="\\\\?\\C:\\MSOCache\\All Users\\..", lpStr2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\3pRMMVYZl7L6YCH05Qf1aBB2Nvhrv3", nChar=122) returned -1 [0028.655] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\.." (normalized: "c:\\msocache"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0028.655] FindNextFileW (in: hFindFile=0x535ae0, lpFindFileData=0x2d8f2f8 | out: lpFindFileData=0x2d8f2f8*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xecdfa490, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xee38cbf0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xee38cbf0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="{90140000-0016-0409-1000-0000000FF1CE}-C", cAlternateFileName="{90140~3")) returned 1 [0028.655] lstrcmpiW (lpString1="{90140000-0016-0409-1000-0000000FF1CE}-C", lpString2="Windows") returned -1 [0028.655] lstrcmpiW (lpString1="{90140000-0016-0409-1000-0000000FF1CE}-C", lpString2="$Recycle.bin") returned 1 [0028.655] lstrcmpiW (lpString1="{90140000-0016-0409-1000-0000000FF1CE}-C", lpString2="System Volume Information") returned -1 [0028.656] lstrcmpiW (lpString1="{90140000-0016-0409-1000-0000000FF1CE}-C", lpString2="Program Files") returned -1 [0028.656] lstrcmpiW (lpString1="{90140000-0016-0409-1000-0000000FF1CE}-C", lpString2="Program Files (x86)") returned -1 [0028.656] wnsprintfW (in: pszDest=0x542af8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C") returned 66 [0028.656] lstrcmpW (lpString1="{90140000-0016-0409-1000-0000000FF1CE}-C", lpString2=".") returned 1 [0028.656] lstrcmpW (lpString1="{90140000-0016-0409-1000-0000000FF1CE}-C", lpString2="..") returned 1 [0028.656] lstrcmpW (lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0028.656] GetProcessHeap () returned 0x4e0000 [0028.656] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x400) returned 0x5306d0 [0028.656] wnsprintfW (in: pszDest=0x5306d0, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\*") returned 68 [0028.656] FindFirstFileW (in: lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\*", lpFindFileData=0x2d8f070 | out: lpFindFileData=0x2d8f070*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xecdfa490, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xee38cbf0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xee38cbf0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x535b20 [0028.705] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0028.705] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0028.705] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0028.706] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0028.706] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0028.706] wnsprintfW (in: pszDest=0x5306d0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\.") returned 68 [0028.706] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0028.706] StrStrIW (lpFirst=".", lpSrch=".for") returned 0x0 [0028.706] lstrcmpW (lpString1=".", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned -1 [0028.706] lstrcmpW (lpString1=".", lpString2="taridd") returned -1 [0028.706] StrCmpNW (lpStr1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\.", lpStr2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\3pRMMVYZl7L6YCH05Qf1aBB2Nvhrv3", nChar=122) returned -1 [0028.706] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\." (normalized: "c:\\msocache\\all users\\{90140000-0016-0409-1000-0000000ff1ce}-c\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0028.706] FindNextFileW (in: hFindFile=0x535b20, lpFindFileData=0x2d8f070 | out: lpFindFileData=0x2d8f070*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xecdfa490, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xee38cbf0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xee38cbf0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0028.706] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0028.706] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0028.706] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0028.706] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0028.706] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0028.706] wnsprintfW (in: pszDest=0x5306d0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\..") returned 69 [0028.706] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0028.706] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0028.706] StrStrIW (lpFirst="..", lpSrch=".for") returned 0x0 [0028.706] lstrcmpW (lpString1="..", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned -1 [0028.706] lstrcmpW (lpString1="..", lpString2="taridd") returned -1 [0028.706] StrCmpNW (lpStr1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\..", lpStr2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\3pRMMVYZl7L6YCH05Qf1aBB2Nvhrv3", nChar=122) returned -1 [0028.706] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\.." (normalized: "c:\\msocache\\all users"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0028.706] FindNextFileW (in: hFindFile=0x535b20, lpFindFileData=0x2d8f070 | out: lpFindFileData=0x2d8f070*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x393df700, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x393df700, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xed035930, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x102fcbb, dwReserved0=0x0, dwReserved1=0x0, cFileName="ExcelLR.cab", cAlternateFileName="")) returned 1 [0028.706] lstrcmpiW (lpString1="ExcelLR.cab", lpString2="Windows") returned -1 [0028.706] lstrcmpiW (lpString1="ExcelLR.cab", lpString2="$Recycle.bin") returned 1 [0028.706] lstrcmpiW (lpString1="ExcelLR.cab", lpString2="System Volume Information") returned -1 [0028.706] lstrcmpiW (lpString1="ExcelLR.cab", lpString2="Program Files") returned -1 [0028.707] lstrcmpiW (lpString1="ExcelLR.cab", lpString2="Program Files (x86)") returned -1 [0028.707] wnsprintfW (in: pszDest=0x5306d0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab") returned 78 [0028.707] StrStrIW (lpFirst="ExcelLR.cab", lpSrch=".for") returned 0x0 [0028.707] lstrcmpW (lpString1="ExcelLR.cab", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0028.707] lstrcmpW (lpString1="ExcelLR.cab", lpString2="taridd") returned -1 [0028.707] StrCmpNW (lpStr1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab", lpStr2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\3pRMMVYZl7L6YCH05Qf1aBB2Nvhrv3", nChar=122) returned -1 [0028.707] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-0016-0409-1000-0000000ff1ce}-c\\excellr.cab"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x208 [0028.722] GetTickCount () returned 0x1141d32 [0028.722] GetTickCount () returned 0x1141d32 [0028.722] GetTickCount () returned 0x1141d32 [0028.722] GetTickCount () returned 0x1141d32 [0028.722] CryptEncrypt (in: hKey=0x4ff5a8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d8ef80*, pdwDataLen=0x2d8f030*=0x2c, dwBufLen=0x80 | out: pbData=0x2d8ef80*, pdwDataLen=0x2d8f030*=0x80) returned 1 [0028.722] GetProcessHeap () returned 0x4e0000 [0028.722] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x2800) returned 0x5330b8 [0028.722] ReadFile (in: hFile=0x208, lpBuffer=0x5330b8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x5330b8*, lpNumberOfBytesRead=0x2d8f034*=0x2800, lpOverlapped=0x0) returned 1 [0028.746] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0028.747] WriteFile (in: hFile=0x208, lpBuffer=0x5330b8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x5330b8*, lpNumberOfBytesWritten=0x2d8f034*=0x2800, lpOverlapped=0x0) returned 1 [0028.747] GetProcessHeap () returned 0x4e0000 [0028.747] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x5330b8 | out: hHeap=0x4e0000) returned 1 [0028.747] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0028.748] WriteFile (in: hFile=0x208, lpBuffer=0x4ffe10*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x4ffe10*, lpNumberOfBytesWritten=0x2d8f034*=0x300, lpOverlapped=0x0) returned 1 [0028.761] WriteFile (in: hFile=0x208, lpBuffer=0x2d8ef80*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x2d8ef80*, lpNumberOfBytesWritten=0x2d8f034*=0x80, lpOverlapped=0x0) returned 1 [0028.761] WriteFile (in: hFile=0x208, lpBuffer=0x186230*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x186230*, lpNumberOfBytesWritten=0x2d8f034*=0x4, lpOverlapped=0x0) returned 1 [0028.761] CloseHandle (hObject=0x208) returned 1 [0029.178] GetProcessHeap () returned 0x4e0000 [0029.178] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x400) returned 0x543228 [0029.178] wnsprintfW (in: pszDest=0x543228, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab_forv_{KNUJ5K}.for") returned 96 [0029.178] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-0016-0409-1000-0000000ff1ce}-c\\excellr.cab"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab_forv_{KNUJ5K}.for" (normalized: "c:\\msocache\\all users\\{90140000-0016-0409-1000-0000000ff1ce}-c\\excellr.cab_forv_{knuj5k}.for")) returned 1 [0029.288] GetProcessHeap () returned 0x4e0000 [0029.288] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x543228 | out: hHeap=0x4e0000) returned 1 [0029.288] FindNextFileW (in: hFindFile=0x535b20, lpFindFileData=0x2d8f070 | out: lpFindFileData=0x2d8f070*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x3e02ab00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x3e02ab00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xece1ee80, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x263e00, dwReserved0=0x0, dwReserved1=0x0, cFileName="ExcelMUI.msi", cAlternateFileName="")) returned 1 [0029.288] lstrcmpiW (lpString1="ExcelMUI.msi", lpString2="Windows") returned -1 [0029.288] lstrcmpiW (lpString1="ExcelMUI.msi", lpString2="$Recycle.bin") returned 1 [0029.288] lstrcmpiW (lpString1="ExcelMUI.msi", lpString2="System Volume Information") returned -1 [0029.288] lstrcmpiW (lpString1="ExcelMUI.msi", lpString2="Program Files") returned -1 [0029.288] lstrcmpiW (lpString1="ExcelMUI.msi", lpString2="Program Files (x86)") returned -1 [0029.288] wnsprintfW (in: pszDest=0x5306d0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.msi") returned 79 [0029.288] StrStrIW (lpFirst="ExcelMUI.msi", lpSrch=".for") returned 0x0 [0029.288] lstrcmpW (lpString1="ExcelMUI.msi", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0029.288] lstrcmpW (lpString1="ExcelMUI.msi", lpString2="taridd") returned -1 [0029.288] StrCmpNW (lpStr1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.msi", lpStr2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\3pRMMVYZl7L6YCH05Qf1aBB2Nvhrv3", nChar=122) returned -1 [0029.289] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-0016-0409-1000-0000000ff1ce}-c\\excelmui.msi"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x208 [0029.289] GetTickCount () returned 0x1141ee7 [0029.289] GetTickCount () returned 0x1141ee7 [0029.289] GetTickCount () returned 0x1141ee7 [0029.289] GetTickCount () returned 0x1141ee7 [0029.289] CryptEncrypt (in: hKey=0x4ff5a8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d8ef80*, pdwDataLen=0x2d8f030*=0x2c, dwBufLen=0x80 | out: pbData=0x2d8ef80*, pdwDataLen=0x2d8f030*=0x80) returned 1 [0029.289] GetProcessHeap () returned 0x4e0000 [0029.289] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x2800) returned 0x5330b8 [0029.289] ReadFile (in: hFile=0x208, lpBuffer=0x5330b8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x5330b8*, lpNumberOfBytesRead=0x2d8f034*=0x2800, lpOverlapped=0x0) returned 1 [0029.291] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0029.291] WriteFile (in: hFile=0x208, lpBuffer=0x5330b8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x5330b8*, lpNumberOfBytesWritten=0x2d8f034*=0x2800, lpOverlapped=0x0) returned 1 [0029.291] GetProcessHeap () returned 0x4e0000 [0029.291] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x5330b8 | out: hHeap=0x4e0000) returned 1 [0029.292] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0029.292] WriteFile (in: hFile=0x208, lpBuffer=0x4ffe10*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x4ffe10*, lpNumberOfBytesWritten=0x2d8f034*=0x300, lpOverlapped=0x0) returned 1 [0029.293] WriteFile (in: hFile=0x208, lpBuffer=0x2d8ef80*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x2d8ef80*, lpNumberOfBytesWritten=0x2d8f034*=0x80, lpOverlapped=0x0) returned 1 [0029.293] WriteFile (in: hFile=0x208, lpBuffer=0x186230*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x186230*, lpNumberOfBytesWritten=0x2d8f034*=0x4, lpOverlapped=0x0) returned 1 [0029.293] CloseHandle (hObject=0x208) returned 1 [0029.343] GetProcessHeap () returned 0x4e0000 [0029.343] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x400) returned 0x543228 [0029.343] wnsprintfW (in: pszDest=0x543228, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.msi_forv_{KNUJ5K}.for") returned 97 [0029.343] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-0016-0409-1000-0000000ff1ce}-c\\excelmui.msi"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.msi_forv_{KNUJ5K}.for" (normalized: "c:\\msocache\\all users\\{90140000-0016-0409-1000-0000000ff1ce}-c\\excelmui.msi_forv_{knuj5k}.for")) returned 1 [0029.404] GetProcessHeap () returned 0x4e0000 [0029.404] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x543228 | out: hHeap=0x4e0000) returned 1 [0029.404] FindNextFileW (in: hFindFile=0x535b20, lpFindFileData=0x2d8f070 | out: lpFindFileData=0x2d8f070*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x43f88c00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x43f88c00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xecdfa490, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x61d, dwReserved0=0x0, dwReserved1=0x0, cFileName="ExcelMUI.xml", cAlternateFileName="")) returned 1 [0029.404] lstrcmpiW (lpString1="ExcelMUI.xml", lpString2="Windows") returned -1 [0029.404] lstrcmpiW (lpString1="ExcelMUI.xml", lpString2="$Recycle.bin") returned 1 [0029.404] lstrcmpiW (lpString1="ExcelMUI.xml", lpString2="System Volume Information") returned -1 [0029.404] lstrcmpiW (lpString1="ExcelMUI.xml", lpString2="Program Files") returned -1 [0029.404] lstrcmpiW (lpString1="ExcelMUI.xml", lpString2="Program Files (x86)") returned -1 [0029.404] wnsprintfW (in: pszDest=0x5306d0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml") returned 79 [0029.404] StrStrIW (lpFirst="ExcelMUI.xml", lpSrch=".for") returned 0x0 [0029.404] lstrcmpW (lpString1="ExcelMUI.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0029.404] lstrcmpW (lpString1="ExcelMUI.xml", lpString2="taridd") returned -1 [0029.404] StrCmpNW (lpStr1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml", lpStr2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\3pRMMVYZl7L6YCH05Qf1aBB2Nvhrv3", nChar=122) returned -1 [0029.405] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0016-0409-1000-0000000ff1ce}-c\\excelmui.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x208 [0029.405] GetTickCount () returned 0x1141f35 [0029.405] GetTickCount () returned 0x1141f35 [0029.405] GetTickCount () returned 0x1141f35 [0029.405] GetTickCount () returned 0x1141f35 [0029.405] CryptEncrypt (in: hKey=0x4ff5a8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d8ef80*, pdwDataLen=0x2d8f030*=0x2c, dwBufLen=0x80 | out: pbData=0x2d8ef80*, pdwDataLen=0x2d8f030*=0x80) returned 1 [0029.405] GetProcessHeap () returned 0x4e0000 [0029.405] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x2800) returned 0x5330b8 [0029.405] ReadFile (in: hFile=0x208, lpBuffer=0x5330b8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x5330b8*, lpNumberOfBytesRead=0x2d8f034*=0x61d, lpOverlapped=0x0) returned 1 [0029.406] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0xfffff9e3, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0029.407] WriteFile (in: hFile=0x208, lpBuffer=0x5330b8*, nNumberOfBytesToWrite=0x61d, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x5330b8*, lpNumberOfBytesWritten=0x2d8f034*=0x61d, lpOverlapped=0x0) returned 1 [0029.407] GetProcessHeap () returned 0x4e0000 [0029.407] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x5330b8 | out: hHeap=0x4e0000) returned 1 [0029.407] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0029.407] WriteFile (in: hFile=0x208, lpBuffer=0x4ffe10*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x4ffe10*, lpNumberOfBytesWritten=0x2d8f034*=0x300, lpOverlapped=0x0) returned 1 [0029.407] WriteFile (in: hFile=0x208, lpBuffer=0x2d8ef80*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x2d8ef80*, lpNumberOfBytesWritten=0x2d8f034*=0x80, lpOverlapped=0x0) returned 1 [0029.407] WriteFile (in: hFile=0x208, lpBuffer=0x186230*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x186230*, lpNumberOfBytesWritten=0x2d8f034*=0x4, lpOverlapped=0x0) returned 1 [0029.407] CloseHandle (hObject=0x208) returned 1 [0029.408] GetProcessHeap () returned 0x4e0000 [0029.408] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x400) returned 0x543228 [0029.408] wnsprintfW (in: pszDest=0x543228, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml_forv_{KNUJ5K}.for") returned 97 [0029.408] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0016-0409-1000-0000000ff1ce}-c\\excelmui.xml"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml_forv_{KNUJ5K}.for" (normalized: "c:\\msocache\\all users\\{90140000-0016-0409-1000-0000000ff1ce}-c\\excelmui.xml_forv_{knuj5k}.for")) returned 1 [0029.408] GetProcessHeap () returned 0x4e0000 [0029.408] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x543228 | out: hHeap=0x4e0000) returned 1 [0029.408] FindNextFileW (in: hFindFile=0x535b20, lpFindFileData=0x2d8f070 | out: lpFindFileData=0x2d8f070*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x43f88c00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x43f88c00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xee38cbf0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x8f8, dwReserved0=0x0, dwReserved1=0x0, cFileName="Setup.xml", cAlternateFileName="")) returned 1 [0029.408] lstrcmpiW (lpString1="Setup.xml", lpString2="Windows") returned -1 [0029.408] lstrcmpiW (lpString1="Setup.xml", lpString2="$Recycle.bin") returned 1 [0029.409] lstrcmpiW (lpString1="Setup.xml", lpString2="System Volume Information") returned -1 [0029.409] lstrcmpiW (lpString1="Setup.xml", lpString2="Program Files") returned 1 [0029.409] lstrcmpiW (lpString1="Setup.xml", lpString2="Program Files (x86)") returned 1 [0029.409] wnsprintfW (in: pszDest=0x5306d0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 76 [0029.409] StrStrIW (lpFirst="Setup.xml", lpSrch=".for") returned 0x0 [0029.409] lstrcmpW (lpString1="Setup.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0029.409] lstrcmpW (lpString1="Setup.xml", lpString2="taridd") returned -1 [0029.409] StrCmpNW (lpStr1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml", lpStr2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\3pRMMVYZl7L6YCH05Qf1aBB2Nvhrv3", nChar=122) returned -1 [0029.409] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0016-0409-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x208 [0029.410] GetTickCount () returned 0x1141f44 [0029.410] GetTickCount () returned 0x1141f44 [0029.410] GetTickCount () returned 0x1141f44 [0029.410] GetTickCount () returned 0x1141f44 [0029.410] CryptEncrypt (in: hKey=0x4ff5a8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d8ef80*, pdwDataLen=0x2d8f030*=0x2c, dwBufLen=0x80 | out: pbData=0x2d8ef80*, pdwDataLen=0x2d8f030*=0x80) returned 1 [0029.410] GetProcessHeap () returned 0x4e0000 [0029.410] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x2800) returned 0x5330b8 [0029.410] ReadFile (in: hFile=0x208, lpBuffer=0x5330b8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x5330b8*, lpNumberOfBytesRead=0x2d8f034*=0x8f8, lpOverlapped=0x0) returned 1 [0029.411] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0xfffff708, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0029.411] WriteFile (in: hFile=0x208, lpBuffer=0x5330b8*, nNumberOfBytesToWrite=0x8f8, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x5330b8*, lpNumberOfBytesWritten=0x2d8f034*=0x8f8, lpOverlapped=0x0) returned 1 [0029.411] GetProcessHeap () returned 0x4e0000 [0029.411] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x5330b8 | out: hHeap=0x4e0000) returned 1 [0029.411] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0029.411] WriteFile (in: hFile=0x208, lpBuffer=0x4ffe10*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x4ffe10*, lpNumberOfBytesWritten=0x2d8f034*=0x300, lpOverlapped=0x0) returned 1 [0029.412] WriteFile (in: hFile=0x208, lpBuffer=0x2d8ef80*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x2d8ef80*, lpNumberOfBytesWritten=0x2d8f034*=0x80, lpOverlapped=0x0) returned 1 [0029.412] WriteFile (in: hFile=0x208, lpBuffer=0x186230*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x186230*, lpNumberOfBytesWritten=0x2d8f034*=0x4, lpOverlapped=0x0) returned 1 [0029.412] CloseHandle (hObject=0x208) returned 1 [0029.412] GetProcessHeap () returned 0x4e0000 [0029.412] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x400) returned 0x543228 [0029.412] wnsprintfW (in: pszDest=0x543228, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml_forv_{KNUJ5K}.for") returned 94 [0029.412] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0016-0409-1000-0000000ff1ce}-c\\setup.xml"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml_forv_{KNUJ5K}.for" (normalized: "c:\\msocache\\all users\\{90140000-0016-0409-1000-0000000ff1ce}-c\\setup.xml_forv_{knuj5k}.for")) returned 1 [0029.413] GetProcessHeap () returned 0x4e0000 [0029.413] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x543228 | out: hHeap=0x4e0000) returned 1 [0029.413] FindNextFileW (in: hFindFile=0x535b20, lpFindFileData=0x2d8f070 | out: lpFindFileData=0x2d8f070*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x43f88c00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x43f88c00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xee38cbf0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x8f8, dwReserved0=0x0, dwReserved1=0x0, cFileName="Setup.xml", cAlternateFileName="")) returned 0 [0029.413] FindClose (in: hFindFile=0x535b20 | out: hFindFile=0x535b20) returned 1 [0029.413] wnsprintfW (in: pszDest=0x5306d0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 98 [0029.413] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\msocache\\all users\\{90140000-0016-0409-1000-0000000ff1ce}-c\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x150 [0029.413] WriteFile (in: hFile=0x150, lpBuffer=0x186440*, nNumberOfBytesToWrite=0x2b0, lpNumberOfBytesWritten=0x2d8f03c, lpOverlapped=0x0 | out: lpBuffer=0x186440*, lpNumberOfBytesWritten=0x2d8f03c*=0x2b0, lpOverlapped=0x0) returned 1 [0029.414] CloseHandle (hObject=0x150) returned 1 [0029.414] GetProcessHeap () returned 0x4e0000 [0029.414] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x5306d0 | out: hHeap=0x4e0000) returned 1 [0029.414] FindNextFileW (in: hFindFile=0x535ae0, lpFindFileData=0x2d8f2f8 | out: lpFindFileData=0x2d8f2f8*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xe8729610, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xecdfa490, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xecdfa490, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="{90140000-0018-0409-1000-0000000FF1CE}-C", cAlternateFileName="{90140~2")) returned 1 [0029.414] lstrcmpiW (lpString1="{90140000-0018-0409-1000-0000000FF1CE}-C", lpString2="Windows") returned -1 [0029.414] lstrcmpiW (lpString1="{90140000-0018-0409-1000-0000000FF1CE}-C", lpString2="$Recycle.bin") returned 1 [0029.414] lstrcmpiW (lpString1="{90140000-0018-0409-1000-0000000FF1CE}-C", lpString2="System Volume Information") returned -1 [0029.414] lstrcmpiW (lpString1="{90140000-0018-0409-1000-0000000FF1CE}-C", lpString2="Program Files") returned -1 [0029.414] lstrcmpiW (lpString1="{90140000-0018-0409-1000-0000000FF1CE}-C", lpString2="Program Files (x86)") returned -1 [0029.414] wnsprintfW (in: pszDest=0x542af8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C") returned 66 [0029.414] lstrcmpW (lpString1="{90140000-0018-0409-1000-0000000FF1CE}-C", lpString2=".") returned 1 [0029.415] lstrcmpW (lpString1="{90140000-0018-0409-1000-0000000FF1CE}-C", lpString2="..") returned 1 [0029.415] lstrcmpW (lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0029.415] GetProcessHeap () returned 0x4e0000 [0029.415] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x400) returned 0x5306d0 [0029.415] wnsprintfW (in: pszDest=0x5306d0, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\*") returned 68 [0029.415] FindFirstFileW (in: lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\*", lpFindFileData=0x2d8f070 | out: lpFindFileData=0x2d8f070*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xe8729610, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xecdfa490, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xecdfa490, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x535b20 [0029.417] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0029.417] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0029.417] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0029.417] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0029.417] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0029.417] wnsprintfW (in: pszDest=0x5306d0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\.") returned 68 [0029.417] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0029.417] StrStrIW (lpFirst=".", lpSrch=".for") returned 0x0 [0029.417] lstrcmpW (lpString1=".", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned -1 [0029.417] lstrcmpW (lpString1=".", lpString2="taridd") returned -1 [0029.417] StrCmpNW (lpStr1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\.", lpStr2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\3pRMMVYZl7L6YCH05Qf1aBB2Nvhrv3", nChar=122) returned -1 [0029.417] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\." (normalized: "c:\\msocache\\all users\\{90140000-0018-0409-1000-0000000ff1ce}-c\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0029.417] FindNextFileW (in: hFindFile=0x535b20, lpFindFileData=0x2d8f070 | out: lpFindFileData=0x2d8f070*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xe8729610, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xecdfa490, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xecdfa490, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0029.417] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0029.417] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0029.417] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0029.417] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0029.417] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0029.417] wnsprintfW (in: pszDest=0x5306d0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\..") returned 69 [0029.417] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0029.417] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0029.417] StrStrIW (lpFirst="..", lpSrch=".for") returned 0x0 [0029.417] lstrcmpW (lpString1="..", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned -1 [0029.417] lstrcmpW (lpString1="..", lpString2="taridd") returned -1 [0029.417] StrCmpNW (lpStr1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\..", lpStr2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\3pRMMVYZl7L6YCH05Qf1aBB2Nvhrv3", nChar=122) returned -1 [0029.417] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\.." (normalized: "c:\\msocache\\all users"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0029.417] FindNextFileW (in: hFindFile=0x535b20, lpFindFileData=0x2d8f070 | out: lpFindFileData=0x2d8f070*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x3e02ab00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x3e02ab00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xe874f770, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x263400, dwReserved0=0x0, dwReserved1=0x0, cFileName="PowerPointMUI.msi", cAlternateFileName="POWERP~1.MSI")) returned 1 [0029.417] lstrcmpiW (lpString1="PowerPointMUI.msi", lpString2="Windows") returned -1 [0029.418] lstrcmpiW (lpString1="PowerPointMUI.msi", lpString2="$Recycle.bin") returned 1 [0029.418] lstrcmpiW (lpString1="PowerPointMUI.msi", lpString2="System Volume Information") returned -1 [0029.418] lstrcmpiW (lpString1="PowerPointMUI.msi", lpString2="Program Files") returned -1 [0029.418] lstrcmpiW (lpString1="PowerPointMUI.msi", lpString2="Program Files (x86)") returned -1 [0029.418] wnsprintfW (in: pszDest=0x5306d0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.msi") returned 84 [0029.418] StrStrIW (lpFirst="PowerPointMUI.msi", lpSrch=".for") returned 0x0 [0029.418] lstrcmpW (lpString1="PowerPointMUI.msi", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0029.418] lstrcmpW (lpString1="PowerPointMUI.msi", lpString2="taridd") returned -1 [0029.418] StrCmpNW (lpStr1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.msi", lpStr2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\3pRMMVYZl7L6YCH05Qf1aBB2Nvhrv3", nChar=122) returned -1 [0029.418] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-0018-0409-1000-0000000ff1ce}-c\\powerpointmui.msi"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x208 [0029.418] GetTickCount () returned 0x1141f44 [0029.418] GetTickCount () returned 0x1141f44 [0029.418] GetTickCount () returned 0x1141f44 [0029.418] GetTickCount () returned 0x1141f44 [0029.418] CryptEncrypt (in: hKey=0x4ff5a8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d8ef80*, pdwDataLen=0x2d8f030*=0x2c, dwBufLen=0x80 | out: pbData=0x2d8ef80*, pdwDataLen=0x2d8f030*=0x80) returned 1 [0029.418] GetProcessHeap () returned 0x4e0000 [0029.418] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x2800) returned 0x5330b8 [0029.418] ReadFile (in: hFile=0x208, lpBuffer=0x5330b8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x5330b8*, lpNumberOfBytesRead=0x2d8f034*=0x2800, lpOverlapped=0x0) returned 1 [0029.420] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0029.421] WriteFile (in: hFile=0x208, lpBuffer=0x5330b8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x5330b8*, lpNumberOfBytesWritten=0x2d8f034*=0x2800, lpOverlapped=0x0) returned 1 [0029.421] GetProcessHeap () returned 0x4e0000 [0029.421] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x5330b8 | out: hHeap=0x4e0000) returned 1 [0029.421] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0029.421] WriteFile (in: hFile=0x208, lpBuffer=0x4ffe10*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x4ffe10*, lpNumberOfBytesWritten=0x2d8f034*=0x300, lpOverlapped=0x0) returned 1 [0029.425] WriteFile (in: hFile=0x208, lpBuffer=0x2d8ef80*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x2d8ef80*, lpNumberOfBytesWritten=0x2d8f034*=0x80, lpOverlapped=0x0) returned 1 [0029.425] WriteFile (in: hFile=0x208, lpBuffer=0x186230*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x186230*, lpNumberOfBytesWritten=0x2d8f034*=0x4, lpOverlapped=0x0) returned 1 [0029.425] CloseHandle (hObject=0x208) returned 1 [0029.466] GetProcessHeap () returned 0x4e0000 [0029.467] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x400) returned 0x543228 [0029.467] wnsprintfW (in: pszDest=0x543228, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.msi_forv_{KNUJ5K}.for") returned 102 [0029.467] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-0018-0409-1000-0000000ff1ce}-c\\powerpointmui.msi"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.msi_forv_{KNUJ5K}.for" (normalized: "c:\\msocache\\all users\\{90140000-0018-0409-1000-0000000ff1ce}-c\\powerpointmui.msi_forv_{knuj5k}.for")) returned 1 [0029.467] GetProcessHeap () returned 0x4e0000 [0029.467] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x543228 | out: hHeap=0x4e0000) returned 1 [0029.467] FindNextFileW (in: hFindFile=0x535b20, lpFindFileData=0x2d8f070 | out: lpFindFileData=0x2d8f070*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x4529b900, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x4529b900, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xe8728670, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x5aa, dwReserved0=0x0, dwReserved1=0x0, cFileName="PowerPointMUI.xml", cAlternateFileName="POWERP~1.XML")) returned 1 [0029.467] lstrcmpiW (lpString1="PowerPointMUI.xml", lpString2="Windows") returned -1 [0029.467] lstrcmpiW (lpString1="PowerPointMUI.xml", lpString2="$Recycle.bin") returned 1 [0029.467] lstrcmpiW (lpString1="PowerPointMUI.xml", lpString2="System Volume Information") returned -1 [0029.467] lstrcmpiW (lpString1="PowerPointMUI.xml", lpString2="Program Files") returned -1 [0029.467] lstrcmpiW (lpString1="PowerPointMUI.xml", lpString2="Program Files (x86)") returned -1 [0029.467] wnsprintfW (in: pszDest=0x5306d0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml") returned 84 [0029.467] StrStrIW (lpFirst="PowerPointMUI.xml", lpSrch=".for") returned 0x0 [0029.467] lstrcmpW (lpString1="PowerPointMUI.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0029.467] lstrcmpW (lpString1="PowerPointMUI.xml", lpString2="taridd") returned -1 [0029.467] StrCmpNW (lpStr1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml", lpStr2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\3pRMMVYZl7L6YCH05Qf1aBB2Nvhrv3", nChar=122) returned -1 [0029.467] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0018-0409-1000-0000000ff1ce}-c\\powerpointmui.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x208 [0029.468] GetTickCount () returned 0x1141f73 [0029.468] GetTickCount () returned 0x1141f73 [0029.468] GetTickCount () returned 0x1141f73 [0029.468] GetTickCount () returned 0x1141f73 [0029.468] CryptEncrypt (in: hKey=0x4ff5a8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d8ef80*, pdwDataLen=0x2d8f030*=0x2c, dwBufLen=0x80 | out: pbData=0x2d8ef80*, pdwDataLen=0x2d8f030*=0x80) returned 1 [0029.477] GetProcessHeap () returned 0x4e0000 [0029.477] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x2800) returned 0x5330b8 [0029.477] ReadFile (in: hFile=0x208, lpBuffer=0x5330b8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x5330b8*, lpNumberOfBytesRead=0x2d8f034*=0x5aa, lpOverlapped=0x0) returned 1 [0029.478] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0xfffffa56, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0029.478] WriteFile (in: hFile=0x208, lpBuffer=0x5330b8*, nNumberOfBytesToWrite=0x5aa, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x5330b8*, lpNumberOfBytesWritten=0x2d8f034*=0x5aa, lpOverlapped=0x0) returned 1 [0029.478] GetProcessHeap () returned 0x4e0000 [0029.478] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x5330b8 | out: hHeap=0x4e0000) returned 1 [0029.478] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0029.479] WriteFile (in: hFile=0x208, lpBuffer=0x4ffe10*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x4ffe10*, lpNumberOfBytesWritten=0x2d8f034*=0x300, lpOverlapped=0x0) returned 1 [0029.479] WriteFile (in: hFile=0x208, lpBuffer=0x2d8ef80*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x2d8ef80*, lpNumberOfBytesWritten=0x2d8f034*=0x80, lpOverlapped=0x0) returned 1 [0029.479] WriteFile (in: hFile=0x208, lpBuffer=0x186230*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x186230*, lpNumberOfBytesWritten=0x2d8f034*=0x4, lpOverlapped=0x0) returned 1 [0029.479] CloseHandle (hObject=0x208) returned 1 [0029.479] GetProcessHeap () returned 0x4e0000 [0029.479] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x400) returned 0x543228 [0029.480] wnsprintfW (in: pszDest=0x543228, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml_forv_{KNUJ5K}.for") returned 102 [0029.480] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0018-0409-1000-0000000ff1ce}-c\\powerpointmui.xml"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml_forv_{KNUJ5K}.for" (normalized: "c:\\msocache\\all users\\{90140000-0018-0409-1000-0000000ff1ce}-c\\powerpointmui.xml_forv_{knuj5k}.for")) returned 1 [0029.480] GetProcessHeap () returned 0x4e0000 [0029.480] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x543228 | out: hHeap=0x4e0000) returned 1 [0029.480] FindNextFileW (in: hFindFile=0x535b20, lpFindFileData=0x2d8f070 | out: lpFindFileData=0x2d8f070*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x2d523500, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x2d523500, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xe8b079d0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x431a290, dwReserved0=0x0, dwReserved1=0x0, cFileName="PptLR.cab", cAlternateFileName="")) returned 1 [0029.480] lstrcmpiW (lpString1="PptLR.cab", lpString2="Windows") returned -1 [0029.480] lstrcmpiW (lpString1="PptLR.cab", lpString2="$Recycle.bin") returned 1 [0029.480] lstrcmpiW (lpString1="PptLR.cab", lpString2="System Volume Information") returned -1 [0029.480] lstrcmpiW (lpString1="PptLR.cab", lpString2="Program Files") returned -1 [0029.480] lstrcmpiW (lpString1="PptLR.cab", lpString2="Program Files (x86)") returned -1 [0029.480] wnsprintfW (in: pszDest=0x5306d0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab") returned 76 [0029.480] StrStrIW (lpFirst="PptLR.cab", lpSrch=".for") returned 0x0 [0029.480] lstrcmpW (lpString1="PptLR.cab", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0029.480] lstrcmpW (lpString1="PptLR.cab", lpString2="taridd") returned -1 [0029.480] StrCmpNW (lpStr1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab", lpStr2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\3pRMMVYZl7L6YCH05Qf1aBB2Nvhrv3", nChar=122) returned -1 [0029.480] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-0018-0409-1000-0000000ff1ce}-c\\pptlr.cab"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x208 [0029.481] GetTickCount () returned 0x1141f83 [0029.481] GetTickCount () returned 0x1141f83 [0029.481] GetTickCount () returned 0x1141f83 [0029.481] GetTickCount () returned 0x1141f83 [0029.481] CryptEncrypt (in: hKey=0x4ff5a8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d8ef80*, pdwDataLen=0x2d8f030*=0x2c, dwBufLen=0x80 | out: pbData=0x2d8ef80*, pdwDataLen=0x2d8f030*=0x80) returned 1 [0029.481] GetProcessHeap () returned 0x4e0000 [0029.481] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x2800) returned 0x5330b8 [0029.481] ReadFile (in: hFile=0x208, lpBuffer=0x5330b8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x5330b8*, lpNumberOfBytesRead=0x2d8f034*=0x2800, lpOverlapped=0x0) returned 1 [0029.485] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0029.485] WriteFile (in: hFile=0x208, lpBuffer=0x5330b8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x5330b8*, lpNumberOfBytesWritten=0x2d8f034*=0x2800, lpOverlapped=0x0) returned 1 [0029.485] GetProcessHeap () returned 0x4e0000 [0029.485] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x5330b8 | out: hHeap=0x4e0000) returned 1 [0029.485] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0029.485] WriteFile (in: hFile=0x208, lpBuffer=0x4ffe10*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x4ffe10*, lpNumberOfBytesWritten=0x2d8f034*=0x300, lpOverlapped=0x0) returned 1 [0029.486] WriteFile (in: hFile=0x208, lpBuffer=0x2d8ef80*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x2d8ef80*, lpNumberOfBytesWritten=0x2d8f034*=0x80, lpOverlapped=0x0) returned 1 [0029.486] WriteFile (in: hFile=0x208, lpBuffer=0x186230*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x186230*, lpNumberOfBytesWritten=0x2d8f034*=0x4, lpOverlapped=0x0) returned 1 [0029.486] CloseHandle (hObject=0x208) returned 1 [0029.944] GetProcessHeap () returned 0x4e0000 [0029.944] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x400) returned 0x543228 [0029.944] wnsprintfW (in: pszDest=0x543228, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab_forv_{KNUJ5K}.for") returned 94 [0029.944] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-0018-0409-1000-0000000ff1ce}-c\\pptlr.cab"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab_forv_{KNUJ5K}.for" (normalized: "c:\\msocache\\all users\\{90140000-0018-0409-1000-0000000ff1ce}-c\\pptlr.cab_forv_{knuj5k}.for")) returned 1 [0029.945] GetProcessHeap () returned 0x4e0000 [0029.945] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x543228 | out: hHeap=0x4e0000) returned 1 [0029.945] FindNextFileW (in: hFindFile=0x535b20, lpFindFileData=0x2d8f070 | out: lpFindFileData=0x2d8f070*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x43f88c00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x43f88c00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xecdfa490, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x75e, dwReserved0=0x0, dwReserved1=0x0, cFileName="Setup.xml", cAlternateFileName="")) returned 1 [0029.945] lstrcmpiW (lpString1="Setup.xml", lpString2="Windows") returned -1 [0029.945] lstrcmpiW (lpString1="Setup.xml", lpString2="$Recycle.bin") returned 1 [0029.945] lstrcmpiW (lpString1="Setup.xml", lpString2="System Volume Information") returned -1 [0029.945] lstrcmpiW (lpString1="Setup.xml", lpString2="Program Files") returned 1 [0029.945] lstrcmpiW (lpString1="Setup.xml", lpString2="Program Files (x86)") returned 1 [0029.945] wnsprintfW (in: pszDest=0x5306d0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 76 [0029.945] StrStrIW (lpFirst="Setup.xml", lpSrch=".for") returned 0x0 [0029.945] lstrcmpW (lpString1="Setup.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0029.945] lstrcmpW (lpString1="Setup.xml", lpString2="taridd") returned -1 [0029.945] StrCmpNW (lpStr1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml", lpStr2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\3pRMMVYZl7L6YCH05Qf1aBB2Nvhrv3", nChar=122) returned -1 [0029.945] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0018-0409-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x208 [0029.946] GetTickCount () returned 0x1142137 [0029.946] GetTickCount () returned 0x1142137 [0029.946] GetTickCount () returned 0x1142137 [0029.946] GetTickCount () returned 0x1142137 [0029.946] CryptEncrypt (in: hKey=0x4ff5a8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d8ef80*, pdwDataLen=0x2d8f030*=0x2c, dwBufLen=0x80 | out: pbData=0x2d8ef80*, pdwDataLen=0x2d8f030*=0x80) returned 1 [0029.946] GetProcessHeap () returned 0x4e0000 [0029.946] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x2800) returned 0x5330b8 [0029.946] ReadFile (in: hFile=0x208, lpBuffer=0x5330b8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x5330b8*, lpNumberOfBytesRead=0x2d8f034*=0x75e, lpOverlapped=0x0) returned 1 [0029.947] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0xfffff8a2, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0029.947] WriteFile (in: hFile=0x208, lpBuffer=0x5330b8*, nNumberOfBytesToWrite=0x75e, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x5330b8*, lpNumberOfBytesWritten=0x2d8f034*=0x75e, lpOverlapped=0x0) returned 1 [0029.948] GetProcessHeap () returned 0x4e0000 [0029.948] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x5330b8 | out: hHeap=0x4e0000) returned 1 [0029.948] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0029.948] WriteFile (in: hFile=0x208, lpBuffer=0x4ffe10*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x4ffe10*, lpNumberOfBytesWritten=0x2d8f034*=0x300, lpOverlapped=0x0) returned 1 [0029.948] WriteFile (in: hFile=0x208, lpBuffer=0x2d8ef80*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x2d8ef80*, lpNumberOfBytesWritten=0x2d8f034*=0x80, lpOverlapped=0x0) returned 1 [0029.948] WriteFile (in: hFile=0x208, lpBuffer=0x186230*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x186230*, lpNumberOfBytesWritten=0x2d8f034*=0x4, lpOverlapped=0x0) returned 1 [0029.948] CloseHandle (hObject=0x208) returned 1 [0029.949] GetProcessHeap () returned 0x4e0000 [0029.949] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x400) returned 0x543228 [0029.949] wnsprintfW (in: pszDest=0x543228, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml_forv_{KNUJ5K}.for") returned 94 [0029.949] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0018-0409-1000-0000000ff1ce}-c\\setup.xml"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml_forv_{KNUJ5K}.for" (normalized: "c:\\msocache\\all users\\{90140000-0018-0409-1000-0000000ff1ce}-c\\setup.xml_forv_{knuj5k}.for")) returned 1 [0029.949] GetProcessHeap () returned 0x4e0000 [0029.949] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x543228 | out: hHeap=0x4e0000) returned 1 [0029.949] FindNextFileW (in: hFindFile=0x535b20, lpFindFileData=0x2d8f070 | out: lpFindFileData=0x2d8f070*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x43f88c00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x43f88c00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xecdfa490, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x75e, dwReserved0=0x0, dwReserved1=0x0, cFileName="Setup.xml", cAlternateFileName="")) returned 0 [0029.949] FindClose (in: hFindFile=0x535b20 | out: hFindFile=0x535b20) returned 1 [0029.949] wnsprintfW (in: pszDest=0x5306d0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 98 [0029.949] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\msocache\\all users\\{90140000-0018-0409-1000-0000000ff1ce}-c\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x150 [0029.950] WriteFile (in: hFile=0x150, lpBuffer=0x186440*, nNumberOfBytesToWrite=0x2b0, lpNumberOfBytesWritten=0x2d8f03c, lpOverlapped=0x0 | out: lpBuffer=0x186440*, lpNumberOfBytesWritten=0x2d8f03c*=0x2b0, lpOverlapped=0x0) returned 1 [0029.950] CloseHandle (hObject=0x150) returned 1 [0029.950] GetProcessHeap () returned 0x4e0000 [0029.951] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x5306d0 | out: hHeap=0x4e0000) returned 1 [0029.951] FindNextFileW (in: hFindFile=0x535ae0, lpFindFileData=0x2d8f2f8 | out: lpFindFileData=0x2d8f2f8*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xfc3e6570, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xfc8a9170, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xfc8a9170, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="{90140000-0019-0409-1000-0000000FF1CE}-C", cAlternateFileName="{9877A~1")) returned 1 [0029.951] lstrcmpiW (lpString1="{90140000-0019-0409-1000-0000000FF1CE}-C", lpString2="Windows") returned -1 [0029.951] lstrcmpiW (lpString1="{90140000-0019-0409-1000-0000000FF1CE}-C", lpString2="$Recycle.bin") returned 1 [0029.951] lstrcmpiW (lpString1="{90140000-0019-0409-1000-0000000FF1CE}-C", lpString2="System Volume Information") returned -1 [0029.951] lstrcmpiW (lpString1="{90140000-0019-0409-1000-0000000FF1CE}-C", lpString2="Program Files") returned -1 [0029.951] lstrcmpiW (lpString1="{90140000-0019-0409-1000-0000000FF1CE}-C", lpString2="Program Files (x86)") returned -1 [0029.951] wnsprintfW (in: pszDest=0x542af8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C") returned 66 [0029.951] lstrcmpW (lpString1="{90140000-0019-0409-1000-0000000FF1CE}-C", lpString2=".") returned 1 [0029.951] lstrcmpW (lpString1="{90140000-0019-0409-1000-0000000FF1CE}-C", lpString2="..") returned 1 [0029.951] lstrcmpW (lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0029.951] GetProcessHeap () returned 0x4e0000 [0029.951] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x400) returned 0x5306d0 [0029.951] wnsprintfW (in: pszDest=0x5306d0, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\*") returned 68 [0029.951] FindFirstFileW (in: lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\*", lpFindFileData=0x2d8f070 | out: lpFindFileData=0x2d8f070*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xfc3e6570, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xfc8a9170, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xfc8a9170, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x535b20 [0029.953] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0029.953] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0029.953] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0029.953] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0029.953] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0029.953] wnsprintfW (in: pszDest=0x5306d0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\.") returned 68 [0029.953] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0029.953] StrStrIW (lpFirst=".", lpSrch=".for") returned 0x0 [0029.953] lstrcmpW (lpString1=".", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned -1 [0029.953] lstrcmpW (lpString1=".", lpString2="taridd") returned -1 [0029.953] StrCmpNW (lpStr1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\.", lpStr2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\3pRMMVYZl7L6YCH05Qf1aBB2Nvhrv3", nChar=122) returned -1 [0029.954] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\." (normalized: "c:\\msocache\\all users\\{90140000-0019-0409-1000-0000000ff1ce}-c\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0029.954] FindNextFileW (in: hFindFile=0x535b20, lpFindFileData=0x2d8f070 | out: lpFindFileData=0x2d8f070*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xfc3e6570, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xfc8a9170, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xfc8a9170, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0029.954] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0029.954] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0029.954] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0029.954] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0029.954] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0029.954] wnsprintfW (in: pszDest=0x5306d0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\..") returned 69 [0029.954] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0029.954] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0029.954] StrStrIW (lpFirst="..", lpSrch=".for") returned 0x0 [0029.954] lstrcmpW (lpString1="..", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned -1 [0029.954] lstrcmpW (lpString1="..", lpString2="taridd") returned -1 [0029.954] StrCmpNW (lpStr1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\..", lpStr2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\3pRMMVYZl7L6YCH05Qf1aBB2Nvhrv3", nChar=122) returned -1 [0029.954] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\.." (normalized: "c:\\msocache\\all users"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0029.954] FindNextFileW (in: hFindFile=0x535b20, lpFindFileData=0x2d8f070 | out: lpFindFileData=0x2d8f070*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x3e02ab00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x3e02ab00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xfc40b730, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x265c00, dwReserved0=0x0, dwReserved1=0x0, cFileName="PublisherMUI.msi", cAlternateFileName="PUBLIS~1.MSI")) returned 1 [0029.954] lstrcmpiW (lpString1="PublisherMUI.msi", lpString2="Windows") returned -1 [0029.954] lstrcmpiW (lpString1="PublisherMUI.msi", lpString2="$Recycle.bin") returned 1 [0029.954] lstrcmpiW (lpString1="PublisherMUI.msi", lpString2="System Volume Information") returned -1 [0029.954] lstrcmpiW (lpString1="PublisherMUI.msi", lpString2="Program Files") returned 1 [0029.954] lstrcmpiW (lpString1="PublisherMUI.msi", lpString2="Program Files (x86)") returned 1 [0029.954] wnsprintfW (in: pszDest=0x5306d0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.msi") returned 83 [0029.954] StrStrIW (lpFirst="PublisherMUI.msi", lpSrch=".for") returned 0x0 [0029.954] lstrcmpW (lpString1="PublisherMUI.msi", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0029.954] lstrcmpW (lpString1="PublisherMUI.msi", lpString2="taridd") returned -1 [0029.954] StrCmpNW (lpStr1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.msi", lpStr2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\3pRMMVYZl7L6YCH05Qf1aBB2Nvhrv3", nChar=122) returned -1 [0029.954] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-0019-0409-1000-0000000ff1ce}-c\\publishermui.msi"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x208 [0029.958] GetTickCount () returned 0x1142147 [0029.958] GetTickCount () returned 0x1142147 [0029.958] GetTickCount () returned 0x1142147 [0029.958] GetTickCount () returned 0x1142147 [0029.958] CryptEncrypt (in: hKey=0x4ff5a8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d8ef80*, pdwDataLen=0x2d8f030*=0x2c, dwBufLen=0x80 | out: pbData=0x2d8ef80*, pdwDataLen=0x2d8f030*=0x80) returned 1 [0029.958] GetProcessHeap () returned 0x4e0000 [0029.958] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x2800) returned 0x5330b8 [0029.958] ReadFile (in: hFile=0x208, lpBuffer=0x5330b8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x5330b8*, lpNumberOfBytesRead=0x2d8f034*=0x2800, lpOverlapped=0x0) returned 1 [0029.960] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0029.960] WriteFile (in: hFile=0x208, lpBuffer=0x5330b8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x5330b8*, lpNumberOfBytesWritten=0x2d8f034*=0x2800, lpOverlapped=0x0) returned 1 [0029.960] GetProcessHeap () returned 0x4e0000 [0029.960] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x5330b8 | out: hHeap=0x4e0000) returned 1 [0029.960] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0029.960] WriteFile (in: hFile=0x208, lpBuffer=0x4ffe10*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x4ffe10*, lpNumberOfBytesWritten=0x2d8f034*=0x300, lpOverlapped=0x0) returned 1 [0029.962] WriteFile (in: hFile=0x208, lpBuffer=0x2d8ef80*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x2d8ef80*, lpNumberOfBytesWritten=0x2d8f034*=0x80, lpOverlapped=0x0) returned 1 [0029.962] WriteFile (in: hFile=0x208, lpBuffer=0x186230*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x186230*, lpNumberOfBytesWritten=0x2d8f034*=0x4, lpOverlapped=0x0) returned 1 [0029.962] CloseHandle (hObject=0x208) returned 1 [0030.018] GetProcessHeap () returned 0x4e0000 [0030.018] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x400) returned 0x543228 [0030.018] wnsprintfW (in: pszDest=0x543228, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.msi_forv_{KNUJ5K}.for") returned 101 [0030.018] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-0019-0409-1000-0000000ff1ce}-c\\publishermui.msi"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.msi_forv_{KNUJ5K}.for" (normalized: "c:\\msocache\\all users\\{90140000-0019-0409-1000-0000000ff1ce}-c\\publishermui.msi_forv_{knuj5k}.for")) returned 1 [0030.018] GetProcessHeap () returned 0x4e0000 [0030.018] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x543228 | out: hHeap=0x4e0000) returned 1 [0030.019] FindNextFileW (in: hFindFile=0x535b20, lpFindFileData=0x2d8f070 | out: lpFindFileData=0x2d8f070*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x4529b900, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x4529b900, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xfc3e4630, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x5aa, dwReserved0=0x0, dwReserved1=0x0, cFileName="PublisherMUI.xml", cAlternateFileName="PUBLIS~1.XML")) returned 1 [0030.019] lstrcmpiW (lpString1="PublisherMUI.xml", lpString2="Windows") returned -1 [0030.019] lstrcmpiW (lpString1="PublisherMUI.xml", lpString2="$Recycle.bin") returned 1 [0030.019] lstrcmpiW (lpString1="PublisherMUI.xml", lpString2="System Volume Information") returned -1 [0030.019] lstrcmpiW (lpString1="PublisherMUI.xml", lpString2="Program Files") returned 1 [0030.019] lstrcmpiW (lpString1="PublisherMUI.xml", lpString2="Program Files (x86)") returned 1 [0030.019] wnsprintfW (in: pszDest=0x5306d0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml") returned 83 [0030.019] StrStrIW (lpFirst="PublisherMUI.xml", lpSrch=".for") returned 0x0 [0030.019] lstrcmpW (lpString1="PublisherMUI.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0030.019] lstrcmpW (lpString1="PublisherMUI.xml", lpString2="taridd") returned -1 [0030.019] StrCmpNW (lpStr1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml", lpStr2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\3pRMMVYZl7L6YCH05Qf1aBB2Nvhrv3", nChar=122) returned -1 [0030.019] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0019-0409-1000-0000000ff1ce}-c\\publishermui.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x208 [0030.019] GetTickCount () returned 0x1142185 [0030.019] GetTickCount () returned 0x1142185 [0030.019] GetTickCount () returned 0x1142185 [0030.019] GetTickCount () returned 0x1142185 [0030.019] CryptEncrypt (in: hKey=0x4ff5a8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d8ef80*, pdwDataLen=0x2d8f030*=0x2c, dwBufLen=0x80 | out: pbData=0x2d8ef80*, pdwDataLen=0x2d8f030*=0x80) returned 1 [0030.019] GetProcessHeap () returned 0x4e0000 [0030.019] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x2800) returned 0x5330b8 [0030.019] ReadFile (in: hFile=0x208, lpBuffer=0x5330b8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x5330b8*, lpNumberOfBytesRead=0x2d8f034*=0x5aa, lpOverlapped=0x0) returned 1 [0030.023] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0xfffffa56, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0030.023] WriteFile (in: hFile=0x208, lpBuffer=0x5330b8*, nNumberOfBytesToWrite=0x5aa, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x5330b8*, lpNumberOfBytesWritten=0x2d8f034*=0x5aa, lpOverlapped=0x0) returned 1 [0030.023] GetProcessHeap () returned 0x4e0000 [0030.023] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x5330b8 | out: hHeap=0x4e0000) returned 1 [0030.023] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0030.023] WriteFile (in: hFile=0x208, lpBuffer=0x4ffe10*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x4ffe10*, lpNumberOfBytesWritten=0x2d8f034*=0x300, lpOverlapped=0x0) returned 1 [0030.024] WriteFile (in: hFile=0x208, lpBuffer=0x2d8ef80*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x2d8ef80*, lpNumberOfBytesWritten=0x2d8f034*=0x80, lpOverlapped=0x0) returned 1 [0030.024] WriteFile (in: hFile=0x208, lpBuffer=0x186230*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x186230*, lpNumberOfBytesWritten=0x2d8f034*=0x4, lpOverlapped=0x0) returned 1 [0030.024] CloseHandle (hObject=0x208) returned 1 [0030.024] GetProcessHeap () returned 0x4e0000 [0030.024] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x400) returned 0x543228 [0030.024] wnsprintfW (in: pszDest=0x543228, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml_forv_{KNUJ5K}.for") returned 101 [0030.025] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0019-0409-1000-0000000ff1ce}-c\\publishermui.xml"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml_forv_{KNUJ5K}.for" (normalized: "c:\\msocache\\all users\\{90140000-0019-0409-1000-0000000ff1ce}-c\\publishermui.xml_forv_{knuj5k}.for")) returned 1 [0030.025] GetProcessHeap () returned 0x4e0000 [0030.025] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x543228 | out: hHeap=0x4e0000) returned 1 [0030.025] FindNextFileW (in: hFindFile=0x535b20, lpFindFileData=0x2d8f070 | out: lpFindFileData=0x2d8f070*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x3cd17e00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x3cd17e00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xfc47e320, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x97f3f4, dwReserved0=0x0, dwReserved1=0x0, cFileName="PubLR.cab", cAlternateFileName="")) returned 1 [0030.025] lstrcmpiW (lpString1="PubLR.cab", lpString2="Windows") returned -1 [0030.025] lstrcmpiW (lpString1="PubLR.cab", lpString2="$Recycle.bin") returned 1 [0030.025] lstrcmpiW (lpString1="PubLR.cab", lpString2="System Volume Information") returned -1 [0030.025] lstrcmpiW (lpString1="PubLR.cab", lpString2="Program Files") returned 1 [0030.025] lstrcmpiW (lpString1="PubLR.cab", lpString2="Program Files (x86)") returned 1 [0030.025] wnsprintfW (in: pszDest=0x5306d0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab") returned 76 [0030.025] StrStrIW (lpFirst="PubLR.cab", lpSrch=".for") returned 0x0 [0030.025] lstrcmpW (lpString1="PubLR.cab", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0030.025] lstrcmpW (lpString1="PubLR.cab", lpString2="taridd") returned -1 [0030.025] StrCmpNW (lpStr1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab", lpStr2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\3pRMMVYZl7L6YCH05Qf1aBB2Nvhrv3", nChar=122) returned -1 [0030.025] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-0019-0409-1000-0000000ff1ce}-c\\publr.cab"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x208 [0030.026] GetTickCount () returned 0x1142185 [0030.026] GetTickCount () returned 0x1142185 [0030.026] GetTickCount () returned 0x1142185 [0030.026] GetTickCount () returned 0x1142185 [0030.026] CryptEncrypt (in: hKey=0x4ff5a8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d8ef80*, pdwDataLen=0x2d8f030*=0x2c, dwBufLen=0x80 | out: pbData=0x2d8ef80*, pdwDataLen=0x2d8f030*=0x80) returned 1 [0030.026] GetProcessHeap () returned 0x4e0000 [0030.026] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x2800) returned 0x5330b8 [0030.026] ReadFile (in: hFile=0x208, lpBuffer=0x5330b8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x5330b8*, lpNumberOfBytesRead=0x2d8f034*=0x2800, lpOverlapped=0x0) returned 1 [0030.028] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0030.028] WriteFile (in: hFile=0x208, lpBuffer=0x5330b8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x5330b8*, lpNumberOfBytesWritten=0x2d8f034*=0x2800, lpOverlapped=0x0) returned 1 [0030.028] GetProcessHeap () returned 0x4e0000 [0030.028] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x5330b8 | out: hHeap=0x4e0000) returned 1 [0030.028] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0030.028] WriteFile (in: hFile=0x208, lpBuffer=0x4ffe10*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x4ffe10*, lpNumberOfBytesWritten=0x2d8f034*=0x300, lpOverlapped=0x0) returned 1 [0030.030] WriteFile (in: hFile=0x208, lpBuffer=0x2d8ef80*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x2d8ef80*, lpNumberOfBytesWritten=0x2d8f034*=0x80, lpOverlapped=0x0) returned 1 [0030.030] WriteFile (in: hFile=0x208, lpBuffer=0x186230*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x186230*, lpNumberOfBytesWritten=0x2d8f034*=0x4, lpOverlapped=0x0) returned 1 [0030.030] CloseHandle (hObject=0x208) returned 1 [0030.337] GetProcessHeap () returned 0x4e0000 [0030.337] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x400) returned 0x543228 [0030.337] wnsprintfW (in: pszDest=0x543228, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab_forv_{KNUJ5K}.for") returned 94 [0030.337] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-0019-0409-1000-0000000ff1ce}-c\\publr.cab"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab_forv_{KNUJ5K}.for" (normalized: "c:\\msocache\\all users\\{90140000-0019-0409-1000-0000000ff1ce}-c\\publr.cab_forv_{knuj5k}.for")) returned 1 [0030.338] GetProcessHeap () returned 0x4e0000 [0030.338] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x543228 | out: hHeap=0x4e0000) returned 1 [0030.338] FindNextFileW (in: hFindFile=0x535b20, lpFindFileData=0x2d8f070 | out: lpFindFileData=0x2d8f070*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x43f88c00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x43f88c00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xfc8a9170, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x648, dwReserved0=0x0, dwReserved1=0x0, cFileName="Setup.xml", cAlternateFileName="")) returned 1 [0030.338] lstrcmpiW (lpString1="Setup.xml", lpString2="Windows") returned -1 [0030.338] lstrcmpiW (lpString1="Setup.xml", lpString2="$Recycle.bin") returned 1 [0030.338] lstrcmpiW (lpString1="Setup.xml", lpString2="System Volume Information") returned -1 [0030.338] lstrcmpiW (lpString1="Setup.xml", lpString2="Program Files") returned 1 [0030.338] lstrcmpiW (lpString1="Setup.xml", lpString2="Program Files (x86)") returned 1 [0030.338] wnsprintfW (in: pszDest=0x5306d0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 76 [0030.338] StrStrIW (lpFirst="Setup.xml", lpSrch=".for") returned 0x0 [0030.338] lstrcmpW (lpString1="Setup.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0030.338] lstrcmpW (lpString1="Setup.xml", lpString2="taridd") returned -1 [0030.338] StrCmpNW (lpStr1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml", lpStr2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\3pRMMVYZl7L6YCH05Qf1aBB2Nvhrv3", nChar=122) returned -1 [0030.338] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0019-0409-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x208 [0030.338] GetTickCount () returned 0x114229e [0030.338] GetTickCount () returned 0x114229e [0030.338] GetTickCount () returned 0x114229e [0030.338] GetTickCount () returned 0x114229e [0030.338] CryptEncrypt (in: hKey=0x4ff5a8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d8ef80*, pdwDataLen=0x2d8f030*=0x2c, dwBufLen=0x80 | out: pbData=0x2d8ef80*, pdwDataLen=0x2d8f030*=0x80) returned 1 [0030.338] GetProcessHeap () returned 0x4e0000 [0030.338] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x2800) returned 0x5330b8 [0030.338] ReadFile (in: hFile=0x208, lpBuffer=0x5330b8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x5330b8*, lpNumberOfBytesRead=0x2d8f034*=0x648, lpOverlapped=0x0) returned 1 [0030.340] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0xfffff9b8, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0030.340] WriteFile (in: hFile=0x208, lpBuffer=0x5330b8*, nNumberOfBytesToWrite=0x648, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x5330b8*, lpNumberOfBytesWritten=0x2d8f034*=0x648, lpOverlapped=0x0) returned 1 [0030.340] GetProcessHeap () returned 0x4e0000 [0030.340] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x5330b8 | out: hHeap=0x4e0000) returned 1 [0030.340] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0030.340] WriteFile (in: hFile=0x208, lpBuffer=0x4ffe10*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x4ffe10*, lpNumberOfBytesWritten=0x2d8f034*=0x300, lpOverlapped=0x0) returned 1 [0030.340] WriteFile (in: hFile=0x208, lpBuffer=0x2d8ef80*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x2d8ef80*, lpNumberOfBytesWritten=0x2d8f034*=0x80, lpOverlapped=0x0) returned 1 [0030.340] WriteFile (in: hFile=0x208, lpBuffer=0x186230*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x186230*, lpNumberOfBytesWritten=0x2d8f034*=0x4, lpOverlapped=0x0) returned 1 [0030.340] CloseHandle (hObject=0x208) returned 1 [0030.341] GetProcessHeap () returned 0x4e0000 [0030.341] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x400) returned 0x543228 [0030.341] wnsprintfW (in: pszDest=0x543228, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml_forv_{KNUJ5K}.for") returned 94 [0030.341] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0019-0409-1000-0000000ff1ce}-c\\setup.xml"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml_forv_{KNUJ5K}.for" (normalized: "c:\\msocache\\all users\\{90140000-0019-0409-1000-0000000ff1ce}-c\\setup.xml_forv_{knuj5k}.for")) returned 1 [0030.342] GetProcessHeap () returned 0x4e0000 [0030.342] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x543228 | out: hHeap=0x4e0000) returned 1 [0030.342] FindNextFileW (in: hFindFile=0x535b20, lpFindFileData=0x2d8f070 | out: lpFindFileData=0x2d8f070*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x43f88c00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x43f88c00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xfc8a9170, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x648, dwReserved0=0x0, dwReserved1=0x0, cFileName="Setup.xml", cAlternateFileName="")) returned 0 [0030.342] FindClose (in: hFindFile=0x535b20 | out: hFindFile=0x535b20) returned 1 [0030.342] wnsprintfW (in: pszDest=0x5306d0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 98 [0030.342] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\msocache\\all users\\{90140000-0019-0409-1000-0000000ff1ce}-c\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x150 [0030.342] WriteFile (in: hFile=0x150, lpBuffer=0x186440*, nNumberOfBytesToWrite=0x2b0, lpNumberOfBytesWritten=0x2d8f03c, lpOverlapped=0x0 | out: lpBuffer=0x186440*, lpNumberOfBytesWritten=0x2d8f03c*=0x2b0, lpOverlapped=0x0) returned 1 [0030.343] CloseHandle (hObject=0x150) returned 1 [0030.343] GetProcessHeap () returned 0x4e0000 [0030.343] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x5306d0 | out: hHeap=0x4e0000) returned 1 [0030.343] FindNextFileW (in: hFindFile=0x535ae0, lpFindFileData=0x2d8f2f8 | out: lpFindFileData=0x2d8f2f8*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xee829690, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xf00dbad0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xf00dbad0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="{90140000-001A-0409-1000-0000000FF1CE}-C", cAlternateFileName="{9765F~1")) returned 1 [0030.343] lstrcmpiW (lpString1="{90140000-001A-0409-1000-0000000FF1CE}-C", lpString2="Windows") returned -1 [0030.343] lstrcmpiW (lpString1="{90140000-001A-0409-1000-0000000FF1CE}-C", lpString2="$Recycle.bin") returned 1 [0030.343] lstrcmpiW (lpString1="{90140000-001A-0409-1000-0000000FF1CE}-C", lpString2="System Volume Information") returned -1 [0030.343] lstrcmpiW (lpString1="{90140000-001A-0409-1000-0000000FF1CE}-C", lpString2="Program Files") returned -1 [0030.343] lstrcmpiW (lpString1="{90140000-001A-0409-1000-0000000FF1CE}-C", lpString2="Program Files (x86)") returned -1 [0030.344] wnsprintfW (in: pszDest=0x542af8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C") returned 66 [0030.344] lstrcmpW (lpString1="{90140000-001A-0409-1000-0000000FF1CE}-C", lpString2=".") returned 1 [0030.344] lstrcmpW (lpString1="{90140000-001A-0409-1000-0000000FF1CE}-C", lpString2="..") returned 1 [0030.344] lstrcmpW (lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0030.344] GetProcessHeap () returned 0x4e0000 [0030.344] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x400) returned 0x5306d0 [0030.344] wnsprintfW (in: pszDest=0x5306d0, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\*") returned 68 [0030.344] FindFirstFileW (in: lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\*", lpFindFileData=0x2d8f070 | out: lpFindFileData=0x2d8f070*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xee829690, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xf00dbad0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xf00dbad0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x535b20 [0030.346] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0030.346] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0030.346] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0030.346] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0030.346] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0030.346] wnsprintfW (in: pszDest=0x5306d0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\.") returned 68 [0030.346] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0030.346] StrStrIW (lpFirst=".", lpSrch=".for") returned 0x0 [0030.346] lstrcmpW (lpString1=".", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned -1 [0030.346] lstrcmpW (lpString1=".", lpString2="taridd") returned -1 [0030.346] StrCmpNW (lpStr1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\.", lpStr2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\3pRMMVYZl7L6YCH05Qf1aBB2Nvhrv3", nChar=122) returned -1 [0030.346] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\." (normalized: "c:\\msocache\\all users\\{90140000-001a-0409-1000-0000000ff1ce}-c\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0030.346] FindNextFileW (in: hFindFile=0x535b20, lpFindFileData=0x2d8f070 | out: lpFindFileData=0x2d8f070*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xee829690, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xf00dbad0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xf00dbad0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0030.346] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0030.346] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0030.346] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0030.346] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0030.346] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0030.346] wnsprintfW (in: pszDest=0x5306d0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\..") returned 69 [0030.346] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0030.346] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0030.346] StrStrIW (lpFirst="..", lpSrch=".for") returned 0x0 [0030.347] lstrcmpW (lpString1="..", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned -1 [0030.347] lstrcmpW (lpString1="..", lpString2="taridd") returned -1 [0030.347] StrCmpNW (lpStr1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\..", lpStr2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\3pRMMVYZl7L6YCH05Qf1aBB2Nvhrv3", nChar=122) returned -1 [0030.347] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\.." (normalized: "c:\\msocache\\all users"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0030.347] FindNextFileW (in: hFindFile=0x535b20, lpFindFileData=0x2d8f070 | out: lpFindFileData=0x2d8f070*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x3a6f2400, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x3a6f2400, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xeebe0180, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0xe21fcc, dwReserved0=0x0, dwReserved1=0x0, cFileName="OutlkLR.cab", cAlternateFileName="")) returned 1 [0030.347] lstrcmpiW (lpString1="OutlkLR.cab", lpString2="Windows") returned -1 [0030.347] lstrcmpiW (lpString1="OutlkLR.cab", lpString2="$Recycle.bin") returned 1 [0030.347] lstrcmpiW (lpString1="OutlkLR.cab", lpString2="System Volume Information") returned -1 [0030.347] lstrcmpiW (lpString1="OutlkLR.cab", lpString2="Program Files") returned -1 [0030.347] lstrcmpiW (lpString1="OutlkLR.cab", lpString2="Program Files (x86)") returned -1 [0030.347] wnsprintfW (in: pszDest=0x5306d0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab") returned 78 [0030.347] StrStrIW (lpFirst="OutlkLR.cab", lpSrch=".for") returned 0x0 [0030.347] lstrcmpW (lpString1="OutlkLR.cab", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0030.347] lstrcmpW (lpString1="OutlkLR.cab", lpString2="taridd") returned -1 [0030.347] StrCmpNW (lpStr1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab", lpStr2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\3pRMMVYZl7L6YCH05Qf1aBB2Nvhrv3", nChar=122) returned -1 [0030.347] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-001a-0409-1000-0000000ff1ce}-c\\outlklr.cab"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x208 [0030.349] GetTickCount () returned 0x11422ae [0030.349] GetTickCount () returned 0x11422ae [0030.349] GetTickCount () returned 0x11422ae [0030.349] GetTickCount () returned 0x11422ae [0030.349] CryptEncrypt (in: hKey=0x4ff5a8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d8ef80*, pdwDataLen=0x2d8f030*=0x2c, dwBufLen=0x80 | out: pbData=0x2d8ef80*, pdwDataLen=0x2d8f030*=0x80) returned 1 [0030.350] GetProcessHeap () returned 0x4e0000 [0030.350] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x2800) returned 0x5044d8 [0030.350] ReadFile (in: hFile=0x208, lpBuffer=0x5044d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x5044d8*, lpNumberOfBytesRead=0x2d8f034*=0x2800, lpOverlapped=0x0) returned 1 [0030.352] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0030.352] WriteFile (in: hFile=0x208, lpBuffer=0x5044d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x5044d8*, lpNumberOfBytesWritten=0x2d8f034*=0x2800, lpOverlapped=0x0) returned 1 [0030.352] GetProcessHeap () returned 0x4e0000 [0030.352] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x5044d8 | out: hHeap=0x4e0000) returned 1 [0030.352] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0030.353] WriteFile (in: hFile=0x208, lpBuffer=0x4ffe10*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x4ffe10*, lpNumberOfBytesWritten=0x2d8f034*=0x300, lpOverlapped=0x0) returned 1 [0030.354] WriteFile (in: hFile=0x208, lpBuffer=0x2d8ef80*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x2d8ef80*, lpNumberOfBytesWritten=0x2d8f034*=0x80, lpOverlapped=0x0) returned 1 [0030.354] WriteFile (in: hFile=0x208, lpBuffer=0x186230*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x186230*, lpNumberOfBytesWritten=0x2d8f034*=0x4, lpOverlapped=0x0) returned 1 [0030.354] CloseHandle (hObject=0x208) returned 1 [0031.238] GetProcessHeap () returned 0x4e0000 [0031.238] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x400) returned 0x5350b8 [0031.238] wnsprintfW (in: pszDest=0x5350b8, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab_forv_{KNUJ5K}.for") returned 96 [0031.238] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-001a-0409-1000-0000000ff1ce}-c\\outlklr.cab"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab_forv_{KNUJ5K}.for" (normalized: "c:\\msocache\\all users\\{90140000-001a-0409-1000-0000000ff1ce}-c\\outlklr.cab_forv_{knuj5k}.for")) returned 1 [0031.239] GetProcessHeap () returned 0x4e0000 [0031.239] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x5350b8 | out: hHeap=0x4e0000) returned 1 [0031.239] FindNextFileW (in: hFindFile=0x535b20, lpFindFileData=0x2d8f070 | out: lpFindFileData=0x2d8f070*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x3e02ab00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x3e02ab00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xee827f20, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x2bba00, dwReserved0=0x0, dwReserved1=0x0, cFileName="OutlookMUI.msi", cAlternateFileName="OUTLOO~1.MSI")) returned 1 [0031.239] lstrcmpiW (lpString1="OutlookMUI.msi", lpString2="Windows") returned -1 [0031.239] lstrcmpiW (lpString1="OutlookMUI.msi", lpString2="$Recycle.bin") returned 1 [0031.239] lstrcmpiW (lpString1="OutlookMUI.msi", lpString2="System Volume Information") returned -1 [0031.239] lstrcmpiW (lpString1="OutlookMUI.msi", lpString2="Program Files") returned -1 [0031.239] lstrcmpiW (lpString1="OutlookMUI.msi", lpString2="Program Files (x86)") returned -1 [0031.239] wnsprintfW (in: pszDest=0x5306d0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.msi") returned 81 [0031.239] StrStrIW (lpFirst="OutlookMUI.msi", lpSrch=".for") returned 0x0 [0031.239] lstrcmpW (lpString1="OutlookMUI.msi", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0031.239] lstrcmpW (lpString1="OutlookMUI.msi", lpString2="taridd") returned -1 [0031.239] StrCmpNW (lpStr1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.msi", lpStr2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\3pRMMVYZl7L6YCH05Qf1aBB2Nvhrv3", nChar=122) returned -1 [0031.239] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-001a-0409-1000-0000000ff1ce}-c\\outlookmui.msi"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x208 [0031.240] GetTickCount () returned 0x1142608 [0031.240] GetTickCount () returned 0x1142608 [0031.240] GetTickCount () returned 0x1142608 [0031.240] GetTickCount () returned 0x1142608 [0031.240] CryptEncrypt (in: hKey=0x4ff5a8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d8ef80*, pdwDataLen=0x2d8f030*=0x2c, dwBufLen=0x80 | out: pbData=0x2d8ef80*, pdwDataLen=0x2d8f030*=0x80) returned 1 [0031.240] GetProcessHeap () returned 0x4e0000 [0031.240] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x2800) returned 0x5044d8 [0031.240] ReadFile (in: hFile=0x208, lpBuffer=0x5044d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x5044d8*, lpNumberOfBytesRead=0x2d8f034*=0x2800, lpOverlapped=0x0) returned 1 [0031.242] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0031.243] WriteFile (in: hFile=0x208, lpBuffer=0x5044d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x5044d8*, lpNumberOfBytesWritten=0x2d8f034*=0x2800, lpOverlapped=0x0) returned 1 [0031.243] GetProcessHeap () returned 0x4e0000 [0031.243] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x5044d8 | out: hHeap=0x4e0000) returned 1 [0031.243] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0031.243] WriteFile (in: hFile=0x208, lpBuffer=0x4ffe10*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x4ffe10*, lpNumberOfBytesWritten=0x2d8f034*=0x300, lpOverlapped=0x0) returned 1 [0031.245] WriteFile (in: hFile=0x208, lpBuffer=0x2d8ef80*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x2d8ef80*, lpNumberOfBytesWritten=0x2d8f034*=0x80, lpOverlapped=0x0) returned 1 [0031.245] WriteFile (in: hFile=0x208, lpBuffer=0x186230*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x186230*, lpNumberOfBytesWritten=0x2d8f034*=0x4, lpOverlapped=0x0) returned 1 [0031.245] CloseHandle (hObject=0x208) returned 1 [0031.352] GetProcessHeap () returned 0x4e0000 [0031.352] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x400) returned 0x5350b8 [0031.352] wnsprintfW (in: pszDest=0x5350b8, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.msi_forv_{KNUJ5K}.for") returned 99 [0031.352] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-001a-0409-1000-0000000ff1ce}-c\\outlookmui.msi"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.msi_forv_{KNUJ5K}.for" (normalized: "c:\\msocache\\all users\\{90140000-001a-0409-1000-0000000ff1ce}-c\\outlookmui.msi_forv_{knuj5k}.for")) returned 1 [0031.353] GetProcessHeap () returned 0x4e0000 [0031.353] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x5350b8 | out: hHeap=0x4e0000) returned 1 [0031.353] FindNextFileW (in: hFindFile=0x535b20, lpFindFileData=0x2d8f070 | out: lpFindFileData=0x2d8f070*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x43f88c00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x43f88c00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xee827f20, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0xc72, dwReserved0=0x0, dwReserved1=0x0, cFileName="OutlookMUI.xml", cAlternateFileName="OUTLOO~1.XML")) returned 1 [0031.353] lstrcmpiW (lpString1="OutlookMUI.xml", lpString2="Windows") returned -1 [0031.353] lstrcmpiW (lpString1="OutlookMUI.xml", lpString2="$Recycle.bin") returned 1 [0031.353] lstrcmpiW (lpString1="OutlookMUI.xml", lpString2="System Volume Information") returned -1 [0031.353] lstrcmpiW (lpString1="OutlookMUI.xml", lpString2="Program Files") returned -1 [0031.353] lstrcmpiW (lpString1="OutlookMUI.xml", lpString2="Program Files (x86)") returned -1 [0031.353] wnsprintfW (in: pszDest=0x5306d0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml") returned 81 [0031.353] StrStrIW (lpFirst="OutlookMUI.xml", lpSrch=".for") returned 0x0 [0031.353] lstrcmpW (lpString1="OutlookMUI.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0031.353] lstrcmpW (lpString1="OutlookMUI.xml", lpString2="taridd") returned -1 [0031.353] StrCmpNW (lpStr1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml", lpStr2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\3pRMMVYZl7L6YCH05Qf1aBB2Nvhrv3", nChar=122) returned -1 [0031.353] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-001a-0409-1000-0000000ff1ce}-c\\outlookmui.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x208 [0031.353] GetTickCount () returned 0x1142675 [0031.353] GetTickCount () returned 0x1142675 [0031.353] GetTickCount () returned 0x1142675 [0031.353] GetTickCount () returned 0x1142675 [0031.353] CryptEncrypt (in: hKey=0x4ff5a8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d8ef80*, pdwDataLen=0x2d8f030*=0x2c, dwBufLen=0x80 | out: pbData=0x2d8ef80*, pdwDataLen=0x2d8f030*=0x80) returned 1 [0031.354] GetProcessHeap () returned 0x4e0000 [0031.354] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x2800) returned 0x5044d8 [0031.354] ReadFile (in: hFile=0x208, lpBuffer=0x5044d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x5044d8*, lpNumberOfBytesRead=0x2d8f034*=0xc72, lpOverlapped=0x0) returned 1 [0031.356] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0xfffff38e, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0031.356] WriteFile (in: hFile=0x208, lpBuffer=0x5044d8*, nNumberOfBytesToWrite=0xc72, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x5044d8*, lpNumberOfBytesWritten=0x2d8f034*=0xc72, lpOverlapped=0x0) returned 1 [0031.356] GetProcessHeap () returned 0x4e0000 [0031.357] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x5044d8 | out: hHeap=0x4e0000) returned 1 [0031.357] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0031.357] WriteFile (in: hFile=0x208, lpBuffer=0x4ffe10*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x4ffe10*, lpNumberOfBytesWritten=0x2d8f034*=0x300, lpOverlapped=0x0) returned 1 [0031.357] WriteFile (in: hFile=0x208, lpBuffer=0x2d8ef80*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x2d8ef80*, lpNumberOfBytesWritten=0x2d8f034*=0x80, lpOverlapped=0x0) returned 1 [0031.357] WriteFile (in: hFile=0x208, lpBuffer=0x186230*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x186230*, lpNumberOfBytesWritten=0x2d8f034*=0x4, lpOverlapped=0x0) returned 1 [0031.357] CloseHandle (hObject=0x208) returned 1 [0031.358] GetProcessHeap () returned 0x4e0000 [0031.358] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x400) returned 0x5350b8 [0031.358] wnsprintfW (in: pszDest=0x5350b8, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml_forv_{KNUJ5K}.for") returned 99 [0031.358] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-001a-0409-1000-0000000ff1ce}-c\\outlookmui.xml"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml_forv_{KNUJ5K}.for" (normalized: "c:\\msocache\\all users\\{90140000-001a-0409-1000-0000000ff1ce}-c\\outlookmui.xml_forv_{knuj5k}.for")) returned 1 [0031.359] GetProcessHeap () returned 0x4e0000 [0031.359] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x5350b8 | out: hHeap=0x4e0000) returned 1 [0031.359] FindNextFileW (in: hFindFile=0x535b20, lpFindFileData=0x2d8f070 | out: lpFindFileData=0x2d8f070*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x43f88c00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x43f88c00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xf00db300, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x106f, dwReserved0=0x0, dwReserved1=0x0, cFileName="Setup.xml", cAlternateFileName="")) returned 1 [0031.359] lstrcmpiW (lpString1="Setup.xml", lpString2="Windows") returned -1 [0031.359] lstrcmpiW (lpString1="Setup.xml", lpString2="$Recycle.bin") returned 1 [0031.359] lstrcmpiW (lpString1="Setup.xml", lpString2="System Volume Information") returned -1 [0031.359] lstrcmpiW (lpString1="Setup.xml", lpString2="Program Files") returned 1 [0031.359] lstrcmpiW (lpString1="Setup.xml", lpString2="Program Files (x86)") returned 1 [0031.359] wnsprintfW (in: pszDest=0x5306d0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 76 [0031.359] StrStrIW (lpFirst="Setup.xml", lpSrch=".for") returned 0x0 [0031.359] lstrcmpW (lpString1="Setup.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0031.359] lstrcmpW (lpString1="Setup.xml", lpString2="taridd") returned -1 [0031.359] StrCmpNW (lpStr1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml", lpStr2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\3pRMMVYZl7L6YCH05Qf1aBB2Nvhrv3", nChar=122) returned -1 [0031.359] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-001a-0409-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x208 [0031.360] GetTickCount () returned 0x1142685 [0031.360] GetTickCount () returned 0x1142685 [0031.360] GetTickCount () returned 0x1142685 [0031.360] GetTickCount () returned 0x1142685 [0031.360] CryptEncrypt (in: hKey=0x4ff5a8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d8ef80*, pdwDataLen=0x2d8f030*=0x2c, dwBufLen=0x80 | out: pbData=0x2d8ef80*, pdwDataLen=0x2d8f030*=0x80) returned 1 [0031.360] GetProcessHeap () returned 0x4e0000 [0031.360] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x2800) returned 0x5044d8 [0031.360] ReadFile (in: hFile=0x208, lpBuffer=0x5044d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x5044d8*, lpNumberOfBytesRead=0x2d8f034*=0x106f, lpOverlapped=0x0) returned 1 [0031.362] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0xffffef91, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0031.362] WriteFile (in: hFile=0x208, lpBuffer=0x5044d8*, nNumberOfBytesToWrite=0x106f, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x5044d8*, lpNumberOfBytesWritten=0x2d8f034*=0x106f, lpOverlapped=0x0) returned 1 [0031.362] GetProcessHeap () returned 0x4e0000 [0031.362] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x5044d8 | out: hHeap=0x4e0000) returned 1 [0031.362] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0031.362] WriteFile (in: hFile=0x208, lpBuffer=0x4ffe10*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x4ffe10*, lpNumberOfBytesWritten=0x2d8f034*=0x300, lpOverlapped=0x0) returned 1 [0031.362] WriteFile (in: hFile=0x208, lpBuffer=0x2d8ef80*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x2d8ef80*, lpNumberOfBytesWritten=0x2d8f034*=0x80, lpOverlapped=0x0) returned 1 [0031.362] WriteFile (in: hFile=0x208, lpBuffer=0x186230*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x186230*, lpNumberOfBytesWritten=0x2d8f034*=0x4, lpOverlapped=0x0) returned 1 [0031.362] CloseHandle (hObject=0x208) returned 1 [0031.363] GetProcessHeap () returned 0x4e0000 [0031.363] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x400) returned 0x5350b8 [0031.363] wnsprintfW (in: pszDest=0x5350b8, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml_forv_{KNUJ5K}.for") returned 94 [0031.363] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-001a-0409-1000-0000000ff1ce}-c\\setup.xml"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml_forv_{KNUJ5K}.for" (normalized: "c:\\msocache\\all users\\{90140000-001a-0409-1000-0000000ff1ce}-c\\setup.xml_forv_{knuj5k}.for")) returned 1 [0031.363] GetProcessHeap () returned 0x4e0000 [0031.363] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x5350b8 | out: hHeap=0x4e0000) returned 1 [0031.363] FindNextFileW (in: hFindFile=0x535b20, lpFindFileData=0x2d8f070 | out: lpFindFileData=0x2d8f070*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x43f88c00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x43f88c00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xf00db300, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x106f, dwReserved0=0x0, dwReserved1=0x0, cFileName="Setup.xml", cAlternateFileName="")) returned 0 [0031.363] FindClose (in: hFindFile=0x535b20 | out: hFindFile=0x535b20) returned 1 [0031.363] wnsprintfW (in: pszDest=0x5306d0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 98 [0031.363] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\msocache\\all users\\{90140000-001a-0409-1000-0000000ff1ce}-c\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x150 [0031.364] WriteFile (in: hFile=0x150, lpBuffer=0x186440*, nNumberOfBytesToWrite=0x2b0, lpNumberOfBytesWritten=0x2d8f03c, lpOverlapped=0x0 | out: lpBuffer=0x186440*, lpNumberOfBytesWritten=0x2d8f03c*=0x2b0, lpOverlapped=0x0) returned 1 [0031.365] CloseHandle (hObject=0x150) returned 1 [0031.365] GetProcessHeap () returned 0x4e0000 [0031.365] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x5306d0 | out: hHeap=0x4e0000) returned 1 [0031.365] FindNextFileW (in: hFindFile=0x535ae0, lpFindFileData=0x2d8f2f8 | out: lpFindFileData=0x2d8f2f8*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xfc8a9170, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xfe076d70, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xfe076d70, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="{90140000-001B-0409-1000-0000000FF1CE}-C", cAlternateFileName="{94E50~1")) returned 1 [0031.365] lstrcmpiW (lpString1="{90140000-001B-0409-1000-0000000FF1CE}-C", lpString2="Windows") returned -1 [0031.365] lstrcmpiW (lpString1="{90140000-001B-0409-1000-0000000FF1CE}-C", lpString2="$Recycle.bin") returned 1 [0031.365] lstrcmpiW (lpString1="{90140000-001B-0409-1000-0000000FF1CE}-C", lpString2="System Volume Information") returned -1 [0031.365] lstrcmpiW (lpString1="{90140000-001B-0409-1000-0000000FF1CE}-C", lpString2="Program Files") returned -1 [0031.365] lstrcmpiW (lpString1="{90140000-001B-0409-1000-0000000FF1CE}-C", lpString2="Program Files (x86)") returned -1 [0031.365] wnsprintfW (in: pszDest=0x542af8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C") returned 66 [0031.365] lstrcmpW (lpString1="{90140000-001B-0409-1000-0000000FF1CE}-C", lpString2=".") returned 1 [0031.365] lstrcmpW (lpString1="{90140000-001B-0409-1000-0000000FF1CE}-C", lpString2="..") returned 1 [0031.365] lstrcmpW (lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0031.365] GetProcessHeap () returned 0x4e0000 [0031.365] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x400) returned 0x5306d0 [0031.365] wnsprintfW (in: pszDest=0x5306d0, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\*") returned 68 [0031.365] FindFirstFileW (in: lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\*", lpFindFileData=0x2d8f070 | out: lpFindFileData=0x2d8f070*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xfc8a9170, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xfe076d70, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xfe076d70, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x535b20 [0031.366] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0031.366] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0031.366] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0031.366] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0031.366] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0031.366] wnsprintfW (in: pszDest=0x5306d0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\.") returned 68 [0031.366] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0031.366] StrStrIW (lpFirst=".", lpSrch=".for") returned 0x0 [0031.366] lstrcmpW (lpString1=".", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned -1 [0031.366] lstrcmpW (lpString1=".", lpString2="taridd") returned -1 [0031.366] StrCmpNW (lpStr1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\.", lpStr2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\3pRMMVYZl7L6YCH05Qf1aBB2Nvhrv3", nChar=122) returned -1 [0031.366] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\." (normalized: "c:\\msocache\\all users\\{90140000-001b-0409-1000-0000000ff1ce}-c\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0031.366] FindNextFileW (in: hFindFile=0x535b20, lpFindFileData=0x2d8f070 | out: lpFindFileData=0x2d8f070*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xfc8a9170, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xfe076d70, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xfe076d70, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0031.366] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0031.366] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0031.366] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0031.366] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0031.366] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0031.366] wnsprintfW (in: pszDest=0x5306d0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\..") returned 69 [0031.366] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0031.366] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0031.366] StrStrIW (lpFirst="..", lpSrch=".for") returned 0x0 [0031.367] lstrcmpW (lpString1="..", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned -1 [0031.367] lstrcmpW (lpString1="..", lpString2="taridd") returned -1 [0031.367] StrCmpNW (lpStr1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\..", lpStr2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\3pRMMVYZl7L6YCH05Qf1aBB2Nvhrv3", nChar=122) returned -1 [0031.367] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\.." (normalized: "c:\\msocache\\all users"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0031.367] FindNextFileW (in: hFindFile=0x535b20, lpFindFileData=0x2d8f070 | out: lpFindFileData=0x2d8f070*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x43f88c00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x43f88c00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xfe076d70, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x978, dwReserved0=0x0, dwReserved1=0x0, cFileName="Setup.xml", cAlternateFileName="")) returned 1 [0031.367] lstrcmpiW (lpString1="Setup.xml", lpString2="Windows") returned -1 [0031.367] lstrcmpiW (lpString1="Setup.xml", lpString2="$Recycle.bin") returned 1 [0031.367] lstrcmpiW (lpString1="Setup.xml", lpString2="System Volume Information") returned -1 [0031.367] lstrcmpiW (lpString1="Setup.xml", lpString2="Program Files") returned 1 [0031.367] lstrcmpiW (lpString1="Setup.xml", lpString2="Program Files (x86)") returned 1 [0031.367] wnsprintfW (in: pszDest=0x5306d0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 76 [0031.367] StrStrIW (lpFirst="Setup.xml", lpSrch=".for") returned 0x0 [0031.367] lstrcmpW (lpString1="Setup.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0031.367] lstrcmpW (lpString1="Setup.xml", lpString2="taridd") returned -1 [0031.367] StrCmpNW (lpStr1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml", lpStr2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\3pRMMVYZl7L6YCH05Qf1aBB2Nvhrv3", nChar=122) returned -1 [0031.367] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-001b-0409-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x208 [0031.367] GetTickCount () returned 0x1142685 [0031.367] GetTickCount () returned 0x1142685 [0031.367] GetTickCount () returned 0x1142685 [0031.367] GetTickCount () returned 0x1142685 [0031.367] CryptEncrypt (in: hKey=0x4ff5a8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d8ef80*, pdwDataLen=0x2d8f030*=0x2c, dwBufLen=0x80 | out: pbData=0x2d8ef80*, pdwDataLen=0x2d8f030*=0x80) returned 1 [0031.367] GetProcessHeap () returned 0x4e0000 [0031.367] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x2800) returned 0x5044d8 [0031.367] ReadFile (in: hFile=0x208, lpBuffer=0x5044d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x5044d8*, lpNumberOfBytesRead=0x2d8f034*=0x978, lpOverlapped=0x0) returned 1 [0031.369] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0xfffff688, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0031.369] WriteFile (in: hFile=0x208, lpBuffer=0x5044d8*, nNumberOfBytesToWrite=0x978, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x5044d8*, lpNumberOfBytesWritten=0x2d8f034*=0x978, lpOverlapped=0x0) returned 1 [0031.369] GetProcessHeap () returned 0x4e0000 [0031.369] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x5044d8 | out: hHeap=0x4e0000) returned 1 [0031.369] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0031.369] WriteFile (in: hFile=0x208, lpBuffer=0x4ffe10*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x4ffe10*, lpNumberOfBytesWritten=0x2d8f034*=0x300, lpOverlapped=0x0) returned 1 [0031.369] WriteFile (in: hFile=0x208, lpBuffer=0x2d8ef80*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x2d8ef80*, lpNumberOfBytesWritten=0x2d8f034*=0x80, lpOverlapped=0x0) returned 1 [0031.369] WriteFile (in: hFile=0x208, lpBuffer=0x186230*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x186230*, lpNumberOfBytesWritten=0x2d8f034*=0x4, lpOverlapped=0x0) returned 1 [0031.369] CloseHandle (hObject=0x208) returned 1 [0031.370] GetProcessHeap () returned 0x4e0000 [0031.370] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x400) returned 0x5350b8 [0031.370] wnsprintfW (in: pszDest=0x5350b8, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml_forv_{KNUJ5K}.for") returned 94 [0031.370] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-001b-0409-1000-0000000ff1ce}-c\\setup.xml"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml_forv_{KNUJ5K}.for" (normalized: "c:\\msocache\\all users\\{90140000-001b-0409-1000-0000000ff1ce}-c\\setup.xml_forv_{knuj5k}.for")) returned 1 [0031.372] GetProcessHeap () returned 0x4e0000 [0031.372] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x5350b8 | out: hHeap=0x4e0000) returned 1 [0031.372] FindNextFileW (in: hFindFile=0x535b20, lpFindFileData=0x2d8f070 | out: lpFindFileData=0x2d8f070*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x2fb48f00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x2fb48f00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xfc967850, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x29c6dbd, dwReserved0=0x0, dwReserved1=0x0, cFileName="WordLR.cab", cAlternateFileName="")) returned 1 [0031.372] lstrcmpiW (lpString1="WordLR.cab", lpString2="Windows") returned 1 [0031.372] lstrcmpiW (lpString1="WordLR.cab", lpString2="$Recycle.bin") returned 1 [0031.372] lstrcmpiW (lpString1="WordLR.cab", lpString2="System Volume Information") returned 1 [0031.372] lstrcmpiW (lpString1="WordLR.cab", lpString2="Program Files") returned 1 [0031.372] lstrcmpiW (lpString1="WordLR.cab", lpString2="Program Files (x86)") returned 1 [0031.372] wnsprintfW (in: pszDest=0x5306d0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab") returned 77 [0031.372] StrStrIW (lpFirst="WordLR.cab", lpSrch=".for") returned 0x0 [0031.372] lstrcmpW (lpString1="WordLR.cab", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0031.372] lstrcmpW (lpString1="WordLR.cab", lpString2="taridd") returned 1 [0031.372] StrCmpNW (lpStr1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab", lpStr2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\3pRMMVYZl7L6YCH05Qf1aBB2Nvhrv3", nChar=122) returned -1 [0031.372] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-001b-0409-1000-0000000ff1ce}-c\\wordlr.cab"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x208 [0031.373] GetTickCount () returned 0x1142694 [0031.373] GetTickCount () returned 0x1142694 [0031.373] GetTickCount () returned 0x1142694 [0031.373] GetTickCount () returned 0x1142694 [0031.373] CryptEncrypt (in: hKey=0x4ff5a8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d8ef80*, pdwDataLen=0x2d8f030*=0x2c, dwBufLen=0x80 | out: pbData=0x2d8ef80*, pdwDataLen=0x2d8f030*=0x80) returned 1 [0031.373] GetProcessHeap () returned 0x4e0000 [0031.373] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x2800) returned 0x5044d8 [0031.373] ReadFile (in: hFile=0x208, lpBuffer=0x5044d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x5044d8*, lpNumberOfBytesRead=0x2d8f034*=0x2800, lpOverlapped=0x0) returned 1 [0031.375] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0031.376] WriteFile (in: hFile=0x208, lpBuffer=0x5044d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x5044d8*, lpNumberOfBytesWritten=0x2d8f034*=0x2800, lpOverlapped=0x0) returned 1 [0031.376] GetProcessHeap () returned 0x4e0000 [0031.376] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x5044d8 | out: hHeap=0x4e0000) returned 1 [0031.376] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0031.376] WriteFile (in: hFile=0x208, lpBuffer=0x4ffe10*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x4ffe10*, lpNumberOfBytesWritten=0x2d8f034*=0x300, lpOverlapped=0x0) returned 1 [0031.378] WriteFile (in: hFile=0x208, lpBuffer=0x2d8ef80*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x2d8ef80*, lpNumberOfBytesWritten=0x2d8f034*=0x80, lpOverlapped=0x0) returned 1 [0031.378] WriteFile (in: hFile=0x208, lpBuffer=0x186230*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x186230*, lpNumberOfBytesWritten=0x2d8f034*=0x4, lpOverlapped=0x0) returned 1 [0031.378] CloseHandle (hObject=0x208) returned 1 [0032.495] GetProcessHeap () returned 0x4e0000 [0032.495] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x400) returned 0x5350b8 [0032.495] wnsprintfW (in: pszDest=0x5350b8, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab_forv_{KNUJ5K}.for") returned 95 [0032.495] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-001b-0409-1000-0000000ff1ce}-c\\wordlr.cab"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab_forv_{KNUJ5K}.for" (normalized: "c:\\msocache\\all users\\{90140000-001b-0409-1000-0000000ff1ce}-c\\wordlr.cab_forv_{knuj5k}.for")) returned 1 [0032.497] GetProcessHeap () returned 0x4e0000 [0032.497] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x5350b8 | out: hHeap=0x4e0000) returned 1 [0032.497] FindNextFileW (in: hFindFile=0x535b20, lpFindFileData=0x2d8f070 | out: lpFindFileData=0x2d8f070*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x3e02ab00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x3e02ab00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xfc8a9170, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x267e00, dwReserved0=0x0, dwReserved1=0x0, cFileName="WordMUI.msi", cAlternateFileName="")) returned 1 [0032.497] lstrcmpiW (lpString1="WordMUI.msi", lpString2="Windows") returned 1 [0032.497] lstrcmpiW (lpString1="WordMUI.msi", lpString2="$Recycle.bin") returned 1 [0032.497] lstrcmpiW (lpString1="WordMUI.msi", lpString2="System Volume Information") returned 1 [0032.497] lstrcmpiW (lpString1="WordMUI.msi", lpString2="Program Files") returned 1 [0032.497] lstrcmpiW (lpString1="WordMUI.msi", lpString2="Program Files (x86)") returned 1 [0032.497] wnsprintfW (in: pszDest=0x5306d0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.msi") returned 78 [0032.497] StrStrIW (lpFirst="WordMUI.msi", lpSrch=".for") returned 0x0 [0032.497] lstrcmpW (lpString1="WordMUI.msi", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0032.497] lstrcmpW (lpString1="WordMUI.msi", lpString2="taridd") returned 1 [0032.497] StrCmpNW (lpStr1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.msi", lpStr2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\3pRMMVYZl7L6YCH05Qf1aBB2Nvhrv3", nChar=122) returned -1 [0032.497] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-001b-0409-1000-0000000ff1ce}-c\\wordmui.msi"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x208 [0032.497] GetTickCount () returned 0x1142ad8 [0032.497] GetTickCount () returned 0x1142ad8 [0032.497] GetTickCount () returned 0x1142ad8 [0032.497] GetTickCount () returned 0x1142ad8 [0032.497] CryptEncrypt (in: hKey=0x4ff5a8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d8ef80*, pdwDataLen=0x2d8f030*=0x2c, dwBufLen=0x80 | out: pbData=0x2d8ef80*, pdwDataLen=0x2d8f030*=0x80) returned 1 [0032.497] GetProcessHeap () returned 0x4e0000 [0032.497] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x2800) returned 0x5044d8 [0032.498] ReadFile (in: hFile=0x208, lpBuffer=0x5044d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x5044d8*, lpNumberOfBytesRead=0x2d8f034*=0x2800, lpOverlapped=0x0) returned 1 [0032.500] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0032.500] WriteFile (in: hFile=0x208, lpBuffer=0x5044d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x5044d8*, lpNumberOfBytesWritten=0x2d8f034*=0x2800, lpOverlapped=0x0) returned 1 [0032.500] GetProcessHeap () returned 0x4e0000 [0032.500] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x5044d8 | out: hHeap=0x4e0000) returned 1 [0032.500] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0032.500] WriteFile (in: hFile=0x208, lpBuffer=0x4ffe10*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x4ffe10*, lpNumberOfBytesWritten=0x2d8f034*=0x300, lpOverlapped=0x0) returned 1 [0032.502] WriteFile (in: hFile=0x208, lpBuffer=0x2d8ef80*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x2d8ef80*, lpNumberOfBytesWritten=0x2d8f034*=0x80, lpOverlapped=0x0) returned 1 [0032.502] WriteFile (in: hFile=0x208, lpBuffer=0x186230*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x186230*, lpNumberOfBytesWritten=0x2d8f034*=0x4, lpOverlapped=0x0) returned 1 [0032.502] CloseHandle (hObject=0x208) returned 1 [0032.555] GetProcessHeap () returned 0x4e0000 [0032.555] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x400) returned 0x5350b8 [0032.555] wnsprintfW (in: pszDest=0x5350b8, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.msi_forv_{KNUJ5K}.for") returned 96 [0032.555] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-001b-0409-1000-0000000ff1ce}-c\\wordmui.msi"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.msi_forv_{KNUJ5K}.for" (normalized: "c:\\msocache\\all users\\{90140000-001b-0409-1000-0000000ff1ce}-c\\wordmui.msi_forv_{knuj5k}.for")) returned 1 [0032.558] GetProcessHeap () returned 0x4e0000 [0032.558] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x5350b8 | out: hHeap=0x4e0000) returned 1 [0032.558] FindNextFileW (in: hFindFile=0x535b20, lpFindFileData=0x2d8f070 | out: lpFindFileData=0x2d8f070*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x43f88c00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x43f88c00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xfc8a9170, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x708, dwReserved0=0x0, dwReserved1=0x0, cFileName="WordMUI.xml", cAlternateFileName="")) returned 1 [0032.558] lstrcmpiW (lpString1="WordMUI.xml", lpString2="Windows") returned 1 [0032.558] lstrcmpiW (lpString1="WordMUI.xml", lpString2="$Recycle.bin") returned 1 [0032.558] lstrcmpiW (lpString1="WordMUI.xml", lpString2="System Volume Information") returned 1 [0032.559] lstrcmpiW (lpString1="WordMUI.xml", lpString2="Program Files") returned 1 [0032.559] lstrcmpiW (lpString1="WordMUI.xml", lpString2="Program Files (x86)") returned 1 [0032.559] wnsprintfW (in: pszDest=0x5306d0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml") returned 78 [0032.559] StrStrIW (lpFirst="WordMUI.xml", lpSrch=".for") returned 0x0 [0032.559] lstrcmpW (lpString1="WordMUI.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0032.559] lstrcmpW (lpString1="WordMUI.xml", lpString2="taridd") returned 1 [0032.559] StrCmpNW (lpStr1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml", lpStr2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\3pRMMVYZl7L6YCH05Qf1aBB2Nvhrv3", nChar=122) returned -1 [0032.559] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-001b-0409-1000-0000000ff1ce}-c\\wordmui.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x208 [0032.559] GetTickCount () returned 0x1142b17 [0032.559] GetTickCount () returned 0x1142b17 [0032.559] GetTickCount () returned 0x1142b17 [0032.559] GetTickCount () returned 0x1142b17 [0032.559] CryptEncrypt (in: hKey=0x4ff5a8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d8ef80*, pdwDataLen=0x2d8f030*=0x2c, dwBufLen=0x80 | out: pbData=0x2d8ef80*, pdwDataLen=0x2d8f030*=0x80) returned 1 [0032.559] GetProcessHeap () returned 0x4e0000 [0032.559] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x2800) returned 0x5044d8 [0032.559] ReadFile (in: hFile=0x208, lpBuffer=0x5044d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x5044d8*, lpNumberOfBytesRead=0x2d8f034*=0x708, lpOverlapped=0x0) returned 1 [0032.561] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0xfffff8f8, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0032.561] WriteFile (in: hFile=0x208, lpBuffer=0x5044d8*, nNumberOfBytesToWrite=0x708, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x5044d8*, lpNumberOfBytesWritten=0x2d8f034*=0x708, lpOverlapped=0x0) returned 1 [0032.561] GetProcessHeap () returned 0x4e0000 [0032.561] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x5044d8 | out: hHeap=0x4e0000) returned 1 [0032.561] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0032.561] WriteFile (in: hFile=0x208, lpBuffer=0x4ffe10*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x4ffe10*, lpNumberOfBytesWritten=0x2d8f034*=0x300, lpOverlapped=0x0) returned 1 [0032.561] WriteFile (in: hFile=0x208, lpBuffer=0x2d8ef80*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x2d8ef80*, lpNumberOfBytesWritten=0x2d8f034*=0x80, lpOverlapped=0x0) returned 1 [0032.561] WriteFile (in: hFile=0x208, lpBuffer=0x186230*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x186230*, lpNumberOfBytesWritten=0x2d8f034*=0x4, lpOverlapped=0x0) returned 1 [0032.561] CloseHandle (hObject=0x208) returned 1 [0032.562] GetProcessHeap () returned 0x4e0000 [0032.562] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x400) returned 0x5350b8 [0032.562] wnsprintfW (in: pszDest=0x5350b8, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml_forv_{KNUJ5K}.for") returned 96 [0032.562] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-001b-0409-1000-0000000ff1ce}-c\\wordmui.xml"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml_forv_{KNUJ5K}.for" (normalized: "c:\\msocache\\all users\\{90140000-001b-0409-1000-0000000ff1ce}-c\\wordmui.xml_forv_{knuj5k}.for")) returned 1 [0032.563] GetProcessHeap () returned 0x4e0000 [0032.563] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x5350b8 | out: hHeap=0x4e0000) returned 1 [0032.563] FindNextFileW (in: hFindFile=0x535b20, lpFindFileData=0x2d8f070 | out: lpFindFileData=0x2d8f070*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x43f88c00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x43f88c00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xfc8a9170, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x708, dwReserved0=0x0, dwReserved1=0x0, cFileName="WordMUI.xml", cAlternateFileName="")) returned 0 [0032.563] FindClose (in: hFindFile=0x535b20 | out: hFindFile=0x535b20) returned 1 [0032.563] wnsprintfW (in: pszDest=0x5306d0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 98 [0032.563] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\msocache\\all users\\{90140000-001b-0409-1000-0000000ff1ce}-c\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x150 [0032.563] WriteFile (in: hFile=0x150, lpBuffer=0x186440*, nNumberOfBytesToWrite=0x2b0, lpNumberOfBytesWritten=0x2d8f03c, lpOverlapped=0x0 | out: lpBuffer=0x186440*, lpNumberOfBytesWritten=0x2d8f03c*=0x2b0, lpOverlapped=0x0) returned 1 [0032.564] CloseHandle (hObject=0x150) returned 1 [0032.564] GetProcessHeap () returned 0x4e0000 [0032.564] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x5306d0 | out: hHeap=0x4e0000) returned 1 [0032.564] FindNextFileW (in: hFindFile=0x535ae0, lpFindFileData=0x2d8f2f8 | out: lpFindFileData=0x2d8f2f8*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xf00dbad0, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xf58c8770, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xf58c8770, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="{90140000-002C-0409-1000-0000000FF1CE}-C", cAlternateFileName="{92787~1")) returned 1 [0032.564] lstrcmpiW (lpString1="{90140000-002C-0409-1000-0000000FF1CE}-C", lpString2="Windows") returned -1 [0032.564] lstrcmpiW (lpString1="{90140000-002C-0409-1000-0000000FF1CE}-C", lpString2="$Recycle.bin") returned 1 [0032.564] lstrcmpiW (lpString1="{90140000-002C-0409-1000-0000000FF1CE}-C", lpString2="System Volume Information") returned -1 [0032.564] lstrcmpiW (lpString1="{90140000-002C-0409-1000-0000000FF1CE}-C", lpString2="Program Files") returned -1 [0032.564] lstrcmpiW (lpString1="{90140000-002C-0409-1000-0000000FF1CE}-C", lpString2="Program Files (x86)") returned -1 [0032.564] wnsprintfW (in: pszDest=0x542af8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C") returned 66 [0032.564] lstrcmpW (lpString1="{90140000-002C-0409-1000-0000000FF1CE}-C", lpString2=".") returned 1 [0032.564] lstrcmpW (lpString1="{90140000-002C-0409-1000-0000000FF1CE}-C", lpString2="..") returned 1 [0032.564] lstrcmpW (lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0032.564] GetProcessHeap () returned 0x4e0000 [0032.564] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x400) returned 0x5306d0 [0032.564] wnsprintfW (in: pszDest=0x5306d0, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\*") returned 68 [0032.564] FindFirstFileW (in: lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\*", lpFindFileData=0x2d8f070 | out: lpFindFileData=0x2d8f070*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xf00dbad0, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xf58c8770, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xf58c8770, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x535b20 [0032.566] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0032.566] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0032.566] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0032.566] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0032.566] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0032.566] wnsprintfW (in: pszDest=0x5306d0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\.") returned 68 [0032.566] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0032.566] StrStrIW (lpFirst=".", lpSrch=".for") returned 0x0 [0032.567] lstrcmpW (lpString1=".", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned -1 [0032.567] lstrcmpW (lpString1=".", lpString2="taridd") returned -1 [0032.567] StrCmpNW (lpStr1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\.", lpStr2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\3pRMMVYZl7L6YCH05Qf1aBB2Nvhrv3", nChar=122) returned -1 [0032.567] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\." (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0032.567] FindNextFileW (in: hFindFile=0x535b20, lpFindFileData=0x2d8f070 | out: lpFindFileData=0x2d8f070*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xf00dbad0, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xf58c8770, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xf58c8770, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0032.567] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0032.567] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0032.567] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0032.567] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0032.567] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0032.567] wnsprintfW (in: pszDest=0x5306d0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\..") returned 69 [0032.567] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0032.567] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0032.567] StrStrIW (lpFirst="..", lpSrch=".for") returned 0x0 [0032.567] lstrcmpW (lpString1="..", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned -1 [0032.567] lstrcmpW (lpString1="..", lpString2="taridd") returned -1 [0032.567] StrCmpNW (lpStr1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\..", lpStr2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\3pRMMVYZl7L6YCH05Qf1aBB2Nvhrv3", nChar=122) returned -1 [0032.567] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\.." (normalized: "c:\\msocache\\all users"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0032.567] FindNextFileW (in: hFindFile=0x535b20, lpFindFileData=0x2d8f070 | out: lpFindFileData=0x2d8f070*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xf01c0310, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xf07b3a10, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xf07b3a10, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Proof.en", cAlternateFileName="")) returned 1 [0032.567] lstrcmpiW (lpString1="Proof.en", lpString2="Windows") returned -1 [0032.567] lstrcmpiW (lpString1="Proof.en", lpString2="$Recycle.bin") returned 1 [0032.567] lstrcmpiW (lpString1="Proof.en", lpString2="System Volume Information") returned -1 [0032.567] lstrcmpiW (lpString1="Proof.en", lpString2="Program Files") returned 1 [0032.567] lstrcmpiW (lpString1="Proof.en", lpString2="Program Files (x86)") returned 1 [0032.567] wnsprintfW (in: pszDest=0x5306d0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en") returned 75 [0032.567] lstrcmpW (lpString1="Proof.en", lpString2=".") returned 1 [0032.567] lstrcmpW (lpString1="Proof.en", lpString2="..") returned 1 [0032.567] lstrcmpW (lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0032.567] GetProcessHeap () returned 0x4e0000 [0032.567] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x400) returned 0x5350b8 [0032.567] wnsprintfW (in: pszDest=0x5350b8, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\*") returned 77 [0032.567] FindFirstFileW (in: lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\*", lpFindFileData=0x2d8ede8 | out: lpFindFileData=0x2d8ede8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xf01c0310, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xf07b3a10, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xf07b3a10, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x535b60 [0032.568] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0032.568] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0032.568] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0032.568] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0032.568] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0032.568] wnsprintfW (in: pszDest=0x5350b8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\.") returned 77 [0032.568] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0032.568] FindNextFileW (in: hFindFile=0x535b60, lpFindFileData=0x2d8ede8 | out: lpFindFileData=0x2d8ede8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xf01c0310, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xf07b3a10, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xf07b3a10, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0032.568] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0032.568] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0032.568] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0032.568] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0032.568] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0032.568] wnsprintfW (in: pszDest=0x5350b8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\..") returned 78 [0032.568] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0032.568] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0032.568] FindNextFileW (in: hFindFile=0x535b60, lpFindFileData=0x2d8ede8 | out: lpFindFileData=0x2d8ede8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x219b4a00, ftCreationTime.dwHighDateTime=0x1cad01b, ftLastAccessTime.dwLowDateTime=0x219b4a00, ftLastAccessTime.dwHighDateTime=0x1cad01b, ftLastWriteTime.dwLowDateTime=0xf07b1ad0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0xaf35ed, dwReserved0=0x0, dwReserved1=0x0, cFileName="Proof.cab", cAlternateFileName="")) returned 1 [0032.568] lstrcmpiW (lpString1="Proof.cab", lpString2="Windows") returned -1 [0032.568] lstrcmpiW (lpString1="Proof.cab", lpString2="$Recycle.bin") returned 1 [0032.568] lstrcmpiW (lpString1="Proof.cab", lpString2="System Volume Information") returned -1 [0032.568] lstrcmpiW (lpString1="Proof.cab", lpString2="Program Files") returned 1 [0032.568] lstrcmpiW (lpString1="Proof.cab", lpString2="Program Files (x86)") returned 1 [0032.568] wnsprintfW (in: pszDest=0x5350b8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.cab") returned 85 [0032.568] StrStrIW (lpFirst="Proof.cab", lpSrch=".for") returned 0x0 [0032.568] lstrcmpW (lpString1="Proof.cab", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0032.568] lstrcmpW (lpString1="Proof.cab", lpString2="taridd") returned -1 [0032.568] StrCmpNW (lpStr1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.cab", lpStr2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\3pRMMVYZl7L6YCH05Qf1aBB2Nvhrv3", nChar=122) returned -1 [0032.568] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.cab" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.en\\proof.cab"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x204 [0032.569] GetTickCount () returned 0x1142b17 [0032.569] GetTickCount () returned 0x1142b17 [0032.569] GetTickCount () returned 0x1142b17 [0032.569] GetTickCount () returned 0x1142b17 [0032.569] CryptEncrypt (in: hKey=0x4ff5a8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d8ecf8*, pdwDataLen=0x2d8eda8*=0x2c, dwBufLen=0x80 | out: pbData=0x2d8ecf8*, pdwDataLen=0x2d8eda8*=0x80) returned 1 [0032.569] GetProcessHeap () returned 0x4e0000 [0032.569] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x2800) returned 0x5054e0 [0032.569] ReadFile (in: hFile=0x204, lpBuffer=0x5054e0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2d8edac, lpOverlapped=0x0 | out: lpBuffer=0x5054e0*, lpNumberOfBytesRead=0x2d8edac*=0x2800, lpOverlapped=0x0) returned 1 [0032.572] SetFilePointerEx (in: hFile=0x204, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0032.572] WriteFile (in: hFile=0x204, lpBuffer=0x5054e0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2d8edac, lpOverlapped=0x0 | out: lpBuffer=0x5054e0*, lpNumberOfBytesWritten=0x2d8edac*=0x2800, lpOverlapped=0x0) returned 1 [0032.572] GetProcessHeap () returned 0x4e0000 [0032.572] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x5054e0 | out: hHeap=0x4e0000) returned 1 [0032.572] SetFilePointerEx (in: hFile=0x204, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0032.572] WriteFile (in: hFile=0x204, lpBuffer=0x4ffe10*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x2d8edac, lpOverlapped=0x0 | out: lpBuffer=0x4ffe10*, lpNumberOfBytesWritten=0x2d8edac*=0x300, lpOverlapped=0x0) returned 1 [0032.574] WriteFile (in: hFile=0x204, lpBuffer=0x2d8ecf8*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x2d8edac, lpOverlapped=0x0 | out: lpBuffer=0x2d8ecf8*, lpNumberOfBytesWritten=0x2d8edac*=0x80, lpOverlapped=0x0) returned 1 [0032.574] WriteFile (in: hFile=0x204, lpBuffer=0x186230*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2d8edac, lpOverlapped=0x0 | out: lpBuffer=0x186230*, lpNumberOfBytesWritten=0x2d8edac*=0x4, lpOverlapped=0x0) returned 1 [0032.574] CloseHandle (hObject=0x204) returned 1 [0033.795] GetProcessHeap () returned 0x4e0000 [0033.795] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x400) returned 0x5354c0 [0033.795] wnsprintfW (in: pszDest=0x5354c0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.cab_forv_{KNUJ5K}.for") returned 103 [0033.795] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.cab" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.en\\proof.cab"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.cab_forv_{KNUJ5K}.for" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.en\\proof.cab_forv_{knuj5k}.for")) returned 1 [0033.795] GetProcessHeap () returned 0x4e0000 [0033.795] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x5354c0 | out: hHeap=0x4e0000) returned 1 [0033.795] FindNextFileW (in: hFindFile=0x535b60, lpFindFileData=0x2d8ede8 | out: lpFindFileData=0x2d8ede8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x4db6cb00, ftCreationTime.dwHighDateTime=0x1cad01b, ftLastAccessTime.dwLowDateTime=0x4db6cb00, ftLastAccessTime.dwHighDateTime=0x1cad01b, ftLastWriteTime.dwLowDateTime=0xf020c5d0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0xd5c00, dwReserved0=0x0, dwReserved1=0x0, cFileName="Proof.msi", cAlternateFileName="")) returned 1 [0033.795] lstrcmpiW (lpString1="Proof.msi", lpString2="Windows") returned -1 [0033.795] lstrcmpiW (lpString1="Proof.msi", lpString2="$Recycle.bin") returned 1 [0033.795] lstrcmpiW (lpString1="Proof.msi", lpString2="System Volume Information") returned -1 [0033.795] lstrcmpiW (lpString1="Proof.msi", lpString2="Program Files") returned 1 [0033.795] lstrcmpiW (lpString1="Proof.msi", lpString2="Program Files (x86)") returned 1 [0033.795] wnsprintfW (in: pszDest=0x5350b8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.msi") returned 85 [0033.795] StrStrIW (lpFirst="Proof.msi", lpSrch=".for") returned 0x0 [0033.796] lstrcmpW (lpString1="Proof.msi", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0033.796] lstrcmpW (lpString1="Proof.msi", lpString2="taridd") returned -1 [0033.796] StrCmpNW (lpStr1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.msi", lpStr2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\3pRMMVYZl7L6YCH05Qf1aBB2Nvhrv3", nChar=122) returned -1 [0033.796] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.msi" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.en\\proof.msi"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x204 [0033.796] GetTickCount () returned 0x1142fd7 [0033.796] GetTickCount () returned 0x1142fd7 [0033.796] GetTickCount () returned 0x1142fd7 [0033.796] GetTickCount () returned 0x1142fd7 [0033.796] CryptEncrypt (in: hKey=0x4ff5a8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d8ecf8*, pdwDataLen=0x2d8eda8*=0x2c, dwBufLen=0x80 | out: pbData=0x2d8ecf8*, pdwDataLen=0x2d8eda8*=0x80) returned 1 [0033.796] GetProcessHeap () returned 0x4e0000 [0033.796] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x2800) returned 0x5054e0 [0033.796] ReadFile (in: hFile=0x204, lpBuffer=0x5054e0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2d8edac, lpOverlapped=0x0 | out: lpBuffer=0x5054e0*, lpNumberOfBytesRead=0x2d8edac*=0x2800, lpOverlapped=0x0) returned 1 [0033.798] SetFilePointerEx (in: hFile=0x204, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0033.799] WriteFile (in: hFile=0x204, lpBuffer=0x5054e0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2d8edac, lpOverlapped=0x0 | out: lpBuffer=0x5054e0*, lpNumberOfBytesWritten=0x2d8edac*=0x2800, lpOverlapped=0x0) returned 1 [0033.799] GetProcessHeap () returned 0x4e0000 [0033.799] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x5054e0 | out: hHeap=0x4e0000) returned 1 [0033.799] SetFilePointerEx (in: hFile=0x204, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0033.799] WriteFile (in: hFile=0x204, lpBuffer=0x4ffe10*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x2d8edac, lpOverlapped=0x0 | out: lpBuffer=0x4ffe10*, lpNumberOfBytesWritten=0x2d8edac*=0x300, lpOverlapped=0x0) returned 1 [0033.801] WriteFile (in: hFile=0x204, lpBuffer=0x2d8ecf8*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x2d8edac, lpOverlapped=0x0 | out: lpBuffer=0x2d8ecf8*, lpNumberOfBytesWritten=0x2d8edac*=0x80, lpOverlapped=0x0) returned 1 [0033.801] WriteFile (in: hFile=0x204, lpBuffer=0x186230*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2d8edac, lpOverlapped=0x0 | out: lpBuffer=0x186230*, lpNumberOfBytesWritten=0x2d8edac*=0x4, lpOverlapped=0x0) returned 1 [0033.801] CloseHandle (hObject=0x204) returned 1 [0033.812] GetProcessHeap () returned 0x4e0000 [0033.812] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x400) returned 0x5354c0 [0033.812] wnsprintfW (in: pszDest=0x5354c0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.msi_forv_{KNUJ5K}.for") returned 103 [0033.813] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.msi" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.en\\proof.msi"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.msi_forv_{KNUJ5K}.for" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.en\\proof.msi_forv_{knuj5k}.for")) returned 1 [0033.813] GetProcessHeap () returned 0x4e0000 [0033.813] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x5354c0 | out: hHeap=0x4e0000) returned 1 [0033.813] FindNextFileW (in: hFindFile=0x535b60, lpFindFileData=0x2d8ede8 | out: lpFindFileData=0x2d8ede8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xa38b7300, ftCreationTime.dwHighDateTime=0x1cad01b, ftLastAccessTime.dwLowDateTime=0xa38b7300, ftLastAccessTime.dwHighDateTime=0x1cad01b, ftLastWriteTime.dwLowDateTime=0xf01be3d0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x543, dwReserved0=0x0, dwReserved1=0x0, cFileName="Proof.xml", cAlternateFileName="")) returned 1 [0033.813] lstrcmpiW (lpString1="Proof.xml", lpString2="Windows") returned -1 [0033.813] lstrcmpiW (lpString1="Proof.xml", lpString2="$Recycle.bin") returned 1 [0033.813] lstrcmpiW (lpString1="Proof.xml", lpString2="System Volume Information") returned -1 [0033.813] lstrcmpiW (lpString1="Proof.xml", lpString2="Program Files") returned 1 [0033.813] lstrcmpiW (lpString1="Proof.xml", lpString2="Program Files (x86)") returned 1 [0033.813] wnsprintfW (in: pszDest=0x5350b8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.xml") returned 85 [0033.813] StrStrIW (lpFirst="Proof.xml", lpSrch=".for") returned 0x0 [0033.813] lstrcmpW (lpString1="Proof.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0033.813] lstrcmpW (lpString1="Proof.xml", lpString2="taridd") returned -1 [0033.813] StrCmpNW (lpStr1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.xml", lpStr2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\3pRMMVYZl7L6YCH05Qf1aBB2Nvhrv3", nChar=122) returned -1 [0033.813] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.xml" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.en\\proof.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x204 [0033.814] GetTickCount () returned 0x1142fe7 [0033.814] GetTickCount () returned 0x1142fe7 [0033.814] GetTickCount () returned 0x1142fe7 [0033.814] GetTickCount () returned 0x1142fe7 [0033.814] CryptEncrypt (in: hKey=0x4ff5a8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d8ecf8*, pdwDataLen=0x2d8eda8*=0x2c, dwBufLen=0x80 | out: pbData=0x2d8ecf8*, pdwDataLen=0x2d8eda8*=0x80) returned 1 [0033.814] GetProcessHeap () returned 0x4e0000 [0033.814] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x2800) returned 0x5054e0 [0033.814] ReadFile (in: hFile=0x204, lpBuffer=0x5054e0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2d8edac, lpOverlapped=0x0 | out: lpBuffer=0x5054e0*, lpNumberOfBytesRead=0x2d8edac*=0x543, lpOverlapped=0x0) returned 1 [0033.815] SetFilePointerEx (in: hFile=0x204, liDistanceToMove=0xfffffabd, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0033.815] WriteFile (in: hFile=0x204, lpBuffer=0x5054e0*, nNumberOfBytesToWrite=0x543, lpNumberOfBytesWritten=0x2d8edac, lpOverlapped=0x0 | out: lpBuffer=0x5054e0*, lpNumberOfBytesWritten=0x2d8edac*=0x543, lpOverlapped=0x0) returned 1 [0033.815] GetProcessHeap () returned 0x4e0000 [0033.815] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x5054e0 | out: hHeap=0x4e0000) returned 1 [0033.815] SetFilePointerEx (in: hFile=0x204, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0033.815] WriteFile (in: hFile=0x204, lpBuffer=0x4ffe10*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x2d8edac, lpOverlapped=0x0 | out: lpBuffer=0x4ffe10*, lpNumberOfBytesWritten=0x2d8edac*=0x300, lpOverlapped=0x0) returned 1 [0033.815] WriteFile (in: hFile=0x204, lpBuffer=0x2d8ecf8*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x2d8edac, lpOverlapped=0x0 | out: lpBuffer=0x2d8ecf8*, lpNumberOfBytesWritten=0x2d8edac*=0x80, lpOverlapped=0x0) returned 1 [0033.816] WriteFile (in: hFile=0x204, lpBuffer=0x186230*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2d8edac, lpOverlapped=0x0 | out: lpBuffer=0x186230*, lpNumberOfBytesWritten=0x2d8edac*=0x4, lpOverlapped=0x0) returned 1 [0033.816] CloseHandle (hObject=0x204) returned 1 [0033.816] GetProcessHeap () returned 0x4e0000 [0033.816] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x400) returned 0x5354c0 [0033.816] wnsprintfW (in: pszDest=0x5354c0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.xml_forv_{KNUJ5K}.for") returned 103 [0033.816] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.xml" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.en\\proof.xml"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.xml_forv_{KNUJ5K}.for" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.en\\proof.xml_forv_{knuj5k}.for")) returned 1 [0033.818] GetProcessHeap () returned 0x4e0000 [0033.818] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x5354c0 | out: hHeap=0x4e0000) returned 1 [0033.818] FindNextFileW (in: hFindFile=0x535b60, lpFindFileData=0x2d8ede8 | out: lpFindFileData=0x2d8ede8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xa38b7300, ftCreationTime.dwHighDateTime=0x1cad01b, ftLastAccessTime.dwLowDateTime=0xa38b7300, ftLastAccessTime.dwHighDateTime=0x1cad01b, ftLastWriteTime.dwLowDateTime=0xf01be3d0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x543, dwReserved0=0x0, dwReserved1=0x0, cFileName="Proof.xml", cAlternateFileName="")) returned 0 [0033.818] FindClose (in: hFindFile=0x535b60 | out: hFindFile=0x535b60) returned 1 [0033.818] wnsprintfW (in: pszDest=0x5350b8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 107 [0033.818] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.en\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x208 [0033.819] WriteFile (in: hFile=0x208, lpBuffer=0x186440*, nNumberOfBytesToWrite=0x2b0, lpNumberOfBytesWritten=0x2d8edb4, lpOverlapped=0x0 | out: lpBuffer=0x186440*, lpNumberOfBytesWritten=0x2d8edb4*=0x2b0, lpOverlapped=0x0) returned 1 [0033.819] CloseHandle (hObject=0x208) returned 1 [0033.820] GetProcessHeap () returned 0x4e0000 [0033.820] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x5350b8 | out: hHeap=0x4e0000) returned 1 [0033.820] FindNextFileW (in: hFindFile=0x535b20, lpFindFileData=0x2d8f070 | out: lpFindFileData=0x2d8f070*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xf4d53d90, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xf4f690d0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xf4f690d0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Proof.es", cAlternateFileName="")) returned 1 [0033.820] lstrcmpiW (lpString1="Proof.es", lpString2="Windows") returned -1 [0033.820] lstrcmpiW (lpString1="Proof.es", lpString2="$Recycle.bin") returned 1 [0033.820] lstrcmpiW (lpString1="Proof.es", lpString2="System Volume Information") returned -1 [0033.820] lstrcmpiW (lpString1="Proof.es", lpString2="Program Files") returned 1 [0033.820] lstrcmpiW (lpString1="Proof.es", lpString2="Program Files (x86)") returned 1 [0033.820] wnsprintfW (in: pszDest=0x5306d0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es") returned 75 [0033.820] lstrcmpW (lpString1="Proof.es", lpString2=".") returned 1 [0033.820] lstrcmpW (lpString1="Proof.es", lpString2="..") returned 1 [0033.820] lstrcmpW (lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0033.820] GetProcessHeap () returned 0x4e0000 [0033.820] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x400) returned 0x5350b8 [0033.820] wnsprintfW (in: pszDest=0x5350b8, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\*") returned 77 [0033.820] FindFirstFileW (in: lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\*", lpFindFileData=0x2d8ede8 | out: lpFindFileData=0x2d8ede8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xf4d53d90, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xf4f690d0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xf4f690d0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x535b60 [0033.820] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0033.820] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0033.820] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0033.820] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0033.820] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0033.820] wnsprintfW (in: pszDest=0x5350b8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\.") returned 77 [0033.820] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0033.820] FindNextFileW (in: hFindFile=0x535b60, lpFindFileData=0x2d8ede8 | out: lpFindFileData=0x2d8ede8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xf4d53d90, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xf4f690d0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xf4f690d0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0033.821] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0033.821] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0033.821] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0033.821] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0033.821] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0033.821] wnsprintfW (in: pszDest=0x5350b8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\..") returned 78 [0033.821] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0033.821] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0033.821] FindNextFileW (in: hFindFile=0x535b60, lpFindFileData=0x2d8ede8 | out: lpFindFileData=0x2d8ede8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x3ba05100, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x3ba05100, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xf4f690d0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0xd02aea, dwReserved0=0x0, dwReserved1=0x0, cFileName="Proof.cab", cAlternateFileName="")) returned 1 [0033.821] lstrcmpiW (lpString1="Proof.cab", lpString2="Windows") returned -1 [0033.821] lstrcmpiW (lpString1="Proof.cab", lpString2="$Recycle.bin") returned 1 [0033.821] lstrcmpiW (lpString1="Proof.cab", lpString2="System Volume Information") returned -1 [0033.821] lstrcmpiW (lpString1="Proof.cab", lpString2="Program Files") returned 1 [0033.821] lstrcmpiW (lpString1="Proof.cab", lpString2="Program Files (x86)") returned 1 [0033.821] wnsprintfW (in: pszDest=0x5350b8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.cab") returned 85 [0033.821] StrStrIW (lpFirst="Proof.cab", lpSrch=".for") returned 0x0 [0033.821] lstrcmpW (lpString1="Proof.cab", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0033.821] lstrcmpW (lpString1="Proof.cab", lpString2="taridd") returned -1 [0033.821] StrCmpNW (lpStr1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.cab", lpStr2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\3pRMMVYZl7L6YCH05Qf1aBB2Nvhrv3", nChar=122) returned -1 [0033.821] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.cab" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.es\\proof.cab"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x204 [0033.822] GetTickCount () returned 0x1142ff7 [0033.822] GetTickCount () returned 0x1142ff7 [0033.822] GetTickCount () returned 0x1142ff7 [0033.822] GetTickCount () returned 0x1142ff7 [0033.822] CryptEncrypt (in: hKey=0x4ff5a8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d8ecf8*, pdwDataLen=0x2d8eda8*=0x2c, dwBufLen=0x80 | out: pbData=0x2d8ecf8*, pdwDataLen=0x2d8eda8*=0x80) returned 1 [0033.822] GetProcessHeap () returned 0x4e0000 [0033.822] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x2800) returned 0x5054e0 [0033.822] ReadFile (in: hFile=0x204, lpBuffer=0x5054e0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2d8edac, lpOverlapped=0x0 | out: lpBuffer=0x5054e0*, lpNumberOfBytesRead=0x2d8edac*=0x2800, lpOverlapped=0x0) returned 1 [0033.824] SetFilePointerEx (in: hFile=0x204, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0033.825] WriteFile (in: hFile=0x204, lpBuffer=0x5054e0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2d8edac, lpOverlapped=0x0 | out: lpBuffer=0x5054e0*, lpNumberOfBytesWritten=0x2d8edac*=0x2800, lpOverlapped=0x0) returned 1 [0033.825] GetProcessHeap () returned 0x4e0000 [0033.825] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x5054e0 | out: hHeap=0x4e0000) returned 1 [0033.825] SetFilePointerEx (in: hFile=0x204, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0033.825] WriteFile (in: hFile=0x204, lpBuffer=0x4ffe10*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x2d8edac, lpOverlapped=0x0 | out: lpBuffer=0x4ffe10*, lpNumberOfBytesWritten=0x2d8edac*=0x300, lpOverlapped=0x0) returned 1 [0033.826] WriteFile (in: hFile=0x204, lpBuffer=0x2d8ecf8*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x2d8edac, lpOverlapped=0x0 | out: lpBuffer=0x2d8ecf8*, lpNumberOfBytesWritten=0x2d8edac*=0x80, lpOverlapped=0x0) returned 1 [0033.826] WriteFile (in: hFile=0x204, lpBuffer=0x186230*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2d8edac, lpOverlapped=0x0 | out: lpBuffer=0x186230*, lpNumberOfBytesWritten=0x2d8edac*=0x4, lpOverlapped=0x0) returned 1 [0033.826] CloseHandle (hObject=0x204) returned 1 [0034.920] GetProcessHeap () returned 0x4e0000 [0034.920] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x400) returned 0x5354c0 [0034.920] wnsprintfW (in: pszDest=0x5354c0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.cab_forv_{KNUJ5K}.for") returned 103 [0034.920] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.cab" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.es\\proof.cab"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.cab_forv_{KNUJ5K}.for" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.es\\proof.cab_forv_{knuj5k}.for")) returned 1 [0034.921] GetProcessHeap () returned 0x4e0000 [0034.921] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x5354c0 | out: hHeap=0x4e0000) returned 1 [0034.921] FindNextFileW (in: hFindFile=0x535b60, lpFindFileData=0x2d8ede8 | out: lpFindFileData=0x2d8ede8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x3f33d800, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x3f33d800, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xf4e5c7f0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0xd7200, dwReserved0=0x0, dwReserved1=0x0, cFileName="Proof.msi", cAlternateFileName="")) returned 1 [0034.921] lstrcmpiW (lpString1="Proof.msi", lpString2="Windows") returned -1 [0034.921] lstrcmpiW (lpString1="Proof.msi", lpString2="$Recycle.bin") returned 1 [0034.921] lstrcmpiW (lpString1="Proof.msi", lpString2="System Volume Information") returned -1 [0034.921] lstrcmpiW (lpString1="Proof.msi", lpString2="Program Files") returned 1 [0034.921] lstrcmpiW (lpString1="Proof.msi", lpString2="Program Files (x86)") returned 1 [0034.921] wnsprintfW (in: pszDest=0x5350b8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.msi") returned 85 [0034.921] StrStrIW (lpFirst="Proof.msi", lpSrch=".for") returned 0x0 [0034.921] lstrcmpW (lpString1="Proof.msi", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0034.921] lstrcmpW (lpString1="Proof.msi", lpString2="taridd") returned -1 [0034.921] StrCmpNW (lpStr1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.msi", lpStr2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\3pRMMVYZl7L6YCH05Qf1aBB2Nvhrv3", nChar=122) returned -1 [0034.921] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.msi" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.es\\proof.msi"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x204 [0034.921] GetTickCount () returned 0x114341b [0034.921] GetTickCount () returned 0x114341b [0034.921] GetTickCount () returned 0x114341b [0034.921] GetTickCount () returned 0x114341b [0034.921] CryptEncrypt (in: hKey=0x4ff5a8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d8ecf8*, pdwDataLen=0x2d8eda8*=0x2c, dwBufLen=0x80 | out: pbData=0x2d8ecf8*, pdwDataLen=0x2d8eda8*=0x80) returned 1 [0034.921] GetProcessHeap () returned 0x4e0000 [0034.921] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x2800) returned 0x5054e0 [0034.921] ReadFile (in: hFile=0x204, lpBuffer=0x5054e0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2d8edac, lpOverlapped=0x0 | out: lpBuffer=0x5054e0*, lpNumberOfBytesRead=0x2d8edac*=0x2800, lpOverlapped=0x0) returned 1 [0034.924] SetFilePointerEx (in: hFile=0x204, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0034.924] WriteFile (in: hFile=0x204, lpBuffer=0x5054e0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2d8edac, lpOverlapped=0x0 | out: lpBuffer=0x5054e0*, lpNumberOfBytesWritten=0x2d8edac*=0x2800, lpOverlapped=0x0) returned 1 [0034.924] GetProcessHeap () returned 0x4e0000 [0034.924] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x5054e0 | out: hHeap=0x4e0000) returned 1 [0034.924] SetFilePointerEx (in: hFile=0x204, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0034.924] WriteFile (in: hFile=0x204, lpBuffer=0x4ffe10*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x2d8edac, lpOverlapped=0x0 | out: lpBuffer=0x4ffe10*, lpNumberOfBytesWritten=0x2d8edac*=0x300, lpOverlapped=0x0) returned 1 [0034.925] WriteFile (in: hFile=0x204, lpBuffer=0x2d8ecf8*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x2d8edac, lpOverlapped=0x0 | out: lpBuffer=0x2d8ecf8*, lpNumberOfBytesWritten=0x2d8edac*=0x80, lpOverlapped=0x0) returned 1 [0034.925] WriteFile (in: hFile=0x204, lpBuffer=0x186230*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2d8edac, lpOverlapped=0x0 | out: lpBuffer=0x186230*, lpNumberOfBytesWritten=0x2d8edac*=0x4, lpOverlapped=0x0) returned 1 [0034.925] CloseHandle (hObject=0x204) returned 1 [0034.935] GetProcessHeap () returned 0x4e0000 [0034.935] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x400) returned 0x5354c0 [0034.935] wnsprintfW (in: pszDest=0x5354c0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.msi_forv_{KNUJ5K}.for") returned 103 [0034.935] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.msi" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.es\\proof.msi"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.msi_forv_{KNUJ5K}.for" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.es\\proof.msi_forv_{knuj5k}.for")) returned 1 [0034.935] GetProcessHeap () returned 0x4e0000 [0034.935] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x5354c0 | out: hHeap=0x4e0000) returned 1 [0034.935] FindNextFileW (in: hFindFile=0x535b60, lpFindFileData=0x2d8ede8 | out: lpFindFileData=0x2d8ede8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x43f88c00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x43f88c00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xf4e37e00, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x5b1, dwReserved0=0x0, dwReserved1=0x0, cFileName="Proof.xml", cAlternateFileName="")) returned 1 [0034.936] lstrcmpiW (lpString1="Proof.xml", lpString2="Windows") returned -1 [0034.936] lstrcmpiW (lpString1="Proof.xml", lpString2="$Recycle.bin") returned 1 [0034.936] lstrcmpiW (lpString1="Proof.xml", lpString2="System Volume Information") returned -1 [0034.936] lstrcmpiW (lpString1="Proof.xml", lpString2="Program Files") returned 1 [0034.936] lstrcmpiW (lpString1="Proof.xml", lpString2="Program Files (x86)") returned 1 [0034.936] wnsprintfW (in: pszDest=0x5350b8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.xml") returned 85 [0034.936] StrStrIW (lpFirst="Proof.xml", lpSrch=".for") returned 0x0 [0034.936] lstrcmpW (lpString1="Proof.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0034.936] lstrcmpW (lpString1="Proof.xml", lpString2="taridd") returned -1 [0034.936] StrCmpNW (lpStr1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.xml", lpStr2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\3pRMMVYZl7L6YCH05Qf1aBB2Nvhrv3", nChar=122) returned -1 [0034.936] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.xml" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.es\\proof.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x204 [0034.936] GetTickCount () returned 0x114342b [0034.936] GetTickCount () returned 0x114342b [0034.936] GetTickCount () returned 0x114342b [0034.936] GetTickCount () returned 0x114342b [0034.936] CryptEncrypt (in: hKey=0x4ff5a8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d8ecf8*, pdwDataLen=0x2d8eda8*=0x2c, dwBufLen=0x80 | out: pbData=0x2d8ecf8*, pdwDataLen=0x2d8eda8*=0x80) returned 1 [0034.936] GetProcessHeap () returned 0x4e0000 [0034.936] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x2800) returned 0x5054e0 [0034.936] ReadFile (in: hFile=0x204, lpBuffer=0x5054e0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2d8edac, lpOverlapped=0x0 | out: lpBuffer=0x5054e0*, lpNumberOfBytesRead=0x2d8edac*=0x5b1, lpOverlapped=0x0) returned 1 [0034.938] SetFilePointerEx (in: hFile=0x204, liDistanceToMove=0xfffffa4f, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0034.938] WriteFile (in: hFile=0x204, lpBuffer=0x5054e0*, nNumberOfBytesToWrite=0x5b1, lpNumberOfBytesWritten=0x2d8edac, lpOverlapped=0x0 | out: lpBuffer=0x5054e0*, lpNumberOfBytesWritten=0x2d8edac*=0x5b1, lpOverlapped=0x0) returned 1 [0034.938] GetProcessHeap () returned 0x4e0000 [0034.938] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x5054e0 | out: hHeap=0x4e0000) returned 1 [0034.938] SetFilePointerEx (in: hFile=0x204, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0034.938] WriteFile (in: hFile=0x204, lpBuffer=0x4ffe10*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x2d8edac, lpOverlapped=0x0 | out: lpBuffer=0x4ffe10*, lpNumberOfBytesWritten=0x2d8edac*=0x300, lpOverlapped=0x0) returned 1 [0034.938] WriteFile (in: hFile=0x204, lpBuffer=0x2d8ecf8*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x2d8edac, lpOverlapped=0x0 | out: lpBuffer=0x2d8ecf8*, lpNumberOfBytesWritten=0x2d8edac*=0x80, lpOverlapped=0x0) returned 1 [0034.938] WriteFile (in: hFile=0x204, lpBuffer=0x186230*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2d8edac, lpOverlapped=0x0 | out: lpBuffer=0x186230*, lpNumberOfBytesWritten=0x2d8edac*=0x4, lpOverlapped=0x0) returned 1 [0034.938] CloseHandle (hObject=0x204) returned 1 [0034.939] GetProcessHeap () returned 0x4e0000 [0034.939] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x400) returned 0x5354c0 [0034.939] wnsprintfW (in: pszDest=0x5354c0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.xml_forv_{KNUJ5K}.for") returned 103 [0034.939] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.xml" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.es\\proof.xml"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.xml_forv_{KNUJ5K}.for" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.es\\proof.xml_forv_{knuj5k}.for")) returned 1 [0034.941] GetProcessHeap () returned 0x4e0000 [0034.941] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x5354c0 | out: hHeap=0x4e0000) returned 1 [0034.941] FindNextFileW (in: hFindFile=0x535b60, lpFindFileData=0x2d8ede8 | out: lpFindFileData=0x2d8ede8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x43f88c00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x43f88c00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xf4e37e00, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x5b1, dwReserved0=0x0, dwReserved1=0x0, cFileName="Proof.xml", cAlternateFileName="")) returned 0 [0034.941] FindClose (in: hFindFile=0x535b60 | out: hFindFile=0x535b60) returned 1 [0034.941] wnsprintfW (in: pszDest=0x5350b8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 107 [0034.941] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.es\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x208 [0034.941] WriteFile (in: hFile=0x208, lpBuffer=0x186440*, nNumberOfBytesToWrite=0x2b0, lpNumberOfBytesWritten=0x2d8edb4, lpOverlapped=0x0 | out: lpBuffer=0x186440*, lpNumberOfBytesWritten=0x2d8edb4*=0x2b0, lpOverlapped=0x0) returned 1 [0034.942] CloseHandle (hObject=0x208) returned 1 [0034.942] GetProcessHeap () returned 0x4e0000 [0034.942] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x5350b8 | out: hHeap=0x4e0000) returned 1 [0034.942] FindNextFileW (in: hFindFile=0x535b20, lpFindFileData=0x2d8f070 | out: lpFindFileData=0x2d8f070*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xf2bda830, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xf30772d0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xf30772d0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Proof.fr", cAlternateFileName="")) returned 1 [0034.942] lstrcmpiW (lpString1="Proof.fr", lpString2="Windows") returned -1 [0034.942] lstrcmpiW (lpString1="Proof.fr", lpString2="$Recycle.bin") returned 1 [0034.942] lstrcmpiW (lpString1="Proof.fr", lpString2="System Volume Information") returned -1 [0034.942] lstrcmpiW (lpString1="Proof.fr", lpString2="Program Files") returned 1 [0034.942] lstrcmpiW (lpString1="Proof.fr", lpString2="Program Files (x86)") returned 1 [0034.942] wnsprintfW (in: pszDest=0x5306d0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr") returned 75 [0034.942] lstrcmpW (lpString1="Proof.fr", lpString2=".") returned 1 [0034.942] lstrcmpW (lpString1="Proof.fr", lpString2="..") returned 1 [0034.942] lstrcmpW (lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0034.942] GetProcessHeap () returned 0x4e0000 [0034.942] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x400) returned 0x5350b8 [0034.942] wnsprintfW (in: pszDest=0x5350b8, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\*") returned 77 [0034.942] FindFirstFileW (in: lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\*", lpFindFileData=0x2d8ede8 | out: lpFindFileData=0x2d8ede8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xf2bda830, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xf30772d0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xf30772d0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x535b60 [0034.943] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0034.943] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0034.943] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0034.943] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0034.943] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0034.943] wnsprintfW (in: pszDest=0x5350b8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\.") returned 77 [0034.943] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0034.943] FindNextFileW (in: hFindFile=0x535b60, lpFindFileData=0x2d8ede8 | out: lpFindFileData=0x2d8ede8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xf2bda830, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xf30772d0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xf30772d0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0034.943] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0034.943] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0034.943] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0034.943] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0034.943] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0034.943] wnsprintfW (in: pszDest=0x5350b8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\..") returned 78 [0034.943] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0034.943] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0034.943] FindNextFileW (in: hFindFile=0x535b60, lpFindFileData=0x2d8ede8 | out: lpFindFileData=0x2d8ede8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x35aa7000, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x35aa7000, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xf3076b00, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x1416b54, dwReserved0=0x0, dwReserved1=0x0, cFileName="Proof.cab", cAlternateFileName="")) returned 1 [0034.943] lstrcmpiW (lpString1="Proof.cab", lpString2="Windows") returned -1 [0034.943] lstrcmpiW (lpString1="Proof.cab", lpString2="$Recycle.bin") returned 1 [0034.943] lstrcmpiW (lpString1="Proof.cab", lpString2="System Volume Information") returned -1 [0034.943] lstrcmpiW (lpString1="Proof.cab", lpString2="Program Files") returned 1 [0034.943] lstrcmpiW (lpString1="Proof.cab", lpString2="Program Files (x86)") returned 1 [0034.943] wnsprintfW (in: pszDest=0x5350b8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.cab") returned 85 [0034.943] StrStrIW (lpFirst="Proof.cab", lpSrch=".for") returned 0x0 [0034.943] lstrcmpW (lpString1="Proof.cab", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0034.943] lstrcmpW (lpString1="Proof.cab", lpString2="taridd") returned -1 [0034.943] StrCmpNW (lpStr1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.cab", lpStr2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\3pRMMVYZl7L6YCH05Qf1aBB2Nvhrv3", nChar=122) returned -1 [0034.943] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.cab" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.fr\\proof.cab"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x204 [0034.943] GetTickCount () returned 0x114342b [0034.944] GetTickCount () returned 0x114343b [0034.944] GetTickCount () returned 0x114343b [0034.944] GetTickCount () returned 0x114343b [0034.944] CryptEncrypt (in: hKey=0x4ff5a8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d8ecf8*, pdwDataLen=0x2d8eda8*=0x2c, dwBufLen=0x80 | out: pbData=0x2d8ecf8*, pdwDataLen=0x2d8eda8*=0x80) returned 1 [0034.944] GetProcessHeap () returned 0x4e0000 [0034.944] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x2800) returned 0x5054e0 [0034.944] ReadFile (in: hFile=0x204, lpBuffer=0x5054e0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2d8edac, lpOverlapped=0x0 | out: lpBuffer=0x5054e0*, lpNumberOfBytesRead=0x2d8edac*=0x2800, lpOverlapped=0x0) returned 1 [0034.946] SetFilePointerEx (in: hFile=0x204, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0034.946] WriteFile (in: hFile=0x204, lpBuffer=0x5054e0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2d8edac, lpOverlapped=0x0 | out: lpBuffer=0x5054e0*, lpNumberOfBytesWritten=0x2d8edac*=0x2800, lpOverlapped=0x0) returned 1 [0034.947] GetProcessHeap () returned 0x4e0000 [0034.947] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x5054e0 | out: hHeap=0x4e0000) returned 1 [0034.947] SetFilePointerEx (in: hFile=0x204, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0034.947] WriteFile (in: hFile=0x204, lpBuffer=0x4ffe10*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x2d8edac, lpOverlapped=0x0 | out: lpBuffer=0x4ffe10*, lpNumberOfBytesWritten=0x2d8edac*=0x300, lpOverlapped=0x0) returned 1 [0034.948] WriteFile (in: hFile=0x204, lpBuffer=0x2d8ecf8*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x2d8edac, lpOverlapped=0x0 | out: lpBuffer=0x2d8ecf8*, lpNumberOfBytesWritten=0x2d8edac*=0x80, lpOverlapped=0x0) returned 1 [0034.948] WriteFile (in: hFile=0x204, lpBuffer=0x186230*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2d8edac, lpOverlapped=0x0 | out: lpBuffer=0x186230*, lpNumberOfBytesWritten=0x2d8edac*=0x4, lpOverlapped=0x0) returned 1 [0034.949] CloseHandle (hObject=0x204) returned 1 [0035.979] GetProcessHeap () returned 0x4e0000 [0035.979] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x400) returned 0x5354c0 [0035.979] wnsprintfW (in: pszDest=0x5354c0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.cab_forv_{KNUJ5K}.for") returned 103 [0035.980] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.cab" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.fr\\proof.cab"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.cab_forv_{KNUJ5K}.for" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.fr\\proof.cab_forv_{knuj5k}.for")) returned 1 [0035.980] GetProcessHeap () returned 0x4e0000 [0035.980] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x5354c0 | out: hHeap=0x4e0000) returned 1 [0035.980] FindNextFileW (in: hFindFile=0x535b60, lpFindFileData=0x2d8ede8 | out: lpFindFileData=0x2d8ede8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x3f33d800, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x3f33d800, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xf2e3b660, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0xd8400, dwReserved0=0x0, dwReserved1=0x0, cFileName="Proof.msi", cAlternateFileName="")) returned 1 [0035.980] lstrcmpiW (lpString1="Proof.msi", lpString2="Windows") returned -1 [0035.980] lstrcmpiW (lpString1="Proof.msi", lpString2="$Recycle.bin") returned 1 [0035.980] lstrcmpiW (lpString1="Proof.msi", lpString2="System Volume Information") returned -1 [0035.980] lstrcmpiW (lpString1="Proof.msi", lpString2="Program Files") returned 1 [0035.980] lstrcmpiW (lpString1="Proof.msi", lpString2="Program Files (x86)") returned 1 [0035.980] wnsprintfW (in: pszDest=0x5350b8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.msi") returned 85 [0035.980] StrStrIW (lpFirst="Proof.msi", lpSrch=".for") returned 0x0 [0035.980] lstrcmpW (lpString1="Proof.msi", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0035.980] lstrcmpW (lpString1="Proof.msi", lpString2="taridd") returned -1 [0035.980] StrCmpNW (lpStr1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.msi", lpStr2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\3pRMMVYZl7L6YCH05Qf1aBB2Nvhrv3", nChar=122) returned -1 [0035.980] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.msi" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.fr\\proof.msi"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x204 [0036.000] GetTickCount () returned 0x1143831 [0036.000] GetTickCount () returned 0x1143831 [0036.000] GetTickCount () returned 0x1143831 [0036.000] GetTickCount () returned 0x1143831 [0036.000] CryptEncrypt (in: hKey=0x4ff5a8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d8ecf8*, pdwDataLen=0x2d8eda8*=0x2c, dwBufLen=0x80 | out: pbData=0x2d8ecf8*, pdwDataLen=0x2d8eda8*=0x80) returned 1 [0036.000] GetProcessHeap () returned 0x4e0000 [0036.000] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x2800) returned 0x5054e0 [0036.000] ReadFile (in: hFile=0x204, lpBuffer=0x5054e0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2d8edac, lpOverlapped=0x0 | out: lpBuffer=0x5054e0*, lpNumberOfBytesRead=0x2d8edac*=0x2800, lpOverlapped=0x0) returned 1 [0036.007] SetFilePointerEx (in: hFile=0x204, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0036.007] WriteFile (in: hFile=0x204, lpBuffer=0x5054e0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2d8edac, lpOverlapped=0x0 | out: lpBuffer=0x5054e0*, lpNumberOfBytesWritten=0x2d8edac*=0x2800, lpOverlapped=0x0) returned 1 [0036.007] GetProcessHeap () returned 0x4e0000 [0036.007] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x5054e0 | out: hHeap=0x4e0000) returned 1 [0036.008] SetFilePointerEx (in: hFile=0x204, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0036.008] WriteFile (in: hFile=0x204, lpBuffer=0x4ffe10*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x2d8edac, lpOverlapped=0x0 | out: lpBuffer=0x4ffe10*, lpNumberOfBytesWritten=0x2d8edac*=0x300, lpOverlapped=0x0) returned 1 [0036.009] WriteFile (in: hFile=0x204, lpBuffer=0x2d8ecf8*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x2d8edac, lpOverlapped=0x0 | out: lpBuffer=0x2d8ecf8*, lpNumberOfBytesWritten=0x2d8edac*=0x80, lpOverlapped=0x0) returned 1 [0036.009] WriteFile (in: hFile=0x204, lpBuffer=0x186230*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2d8edac, lpOverlapped=0x0 | out: lpBuffer=0x186230*, lpNumberOfBytesWritten=0x2d8edac*=0x4, lpOverlapped=0x0) returned 1 [0036.009] CloseHandle (hObject=0x204) returned 1 [0036.019] GetProcessHeap () returned 0x4e0000 [0036.019] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x400) returned 0x5354c0 [0036.019] wnsprintfW (in: pszDest=0x5354c0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.msi_forv_{KNUJ5K}.for") returned 103 [0036.019] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.msi" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.fr\\proof.msi"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.msi_forv_{KNUJ5K}.for" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.fr\\proof.msi_forv_{knuj5k}.for")) returned 1 [0036.031] GetProcessHeap () returned 0x4e0000 [0036.031] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x5354c0 | out: hHeap=0x4e0000) returned 1 [0036.031] FindNextFileW (in: hFindFile=0x535b60, lpFindFileData=0x2d8ede8 | out: lpFindFileData=0x2d8ede8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x43f88c00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x43f88c00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xf2bd90c0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x5b2, dwReserved0=0x0, dwReserved1=0x0, cFileName="Proof.xml", cAlternateFileName="")) returned 1 [0036.031] lstrcmpiW (lpString1="Proof.xml", lpString2="Windows") returned -1 [0036.031] lstrcmpiW (lpString1="Proof.xml", lpString2="$Recycle.bin") returned 1 [0036.031] lstrcmpiW (lpString1="Proof.xml", lpString2="System Volume Information") returned -1 [0036.031] lstrcmpiW (lpString1="Proof.xml", lpString2="Program Files") returned 1 [0036.031] lstrcmpiW (lpString1="Proof.xml", lpString2="Program Files (x86)") returned 1 [0036.031] wnsprintfW (in: pszDest=0x5350b8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.xml") returned 85 [0036.031] StrStrIW (lpFirst="Proof.xml", lpSrch=".for") returned 0x0 [0036.031] lstrcmpW (lpString1="Proof.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0036.031] lstrcmpW (lpString1="Proof.xml", lpString2="taridd") returned -1 [0036.031] StrCmpNW (lpStr1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.xml", lpStr2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\3pRMMVYZl7L6YCH05Qf1aBB2Nvhrv3", nChar=122) returned -1 [0036.031] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.xml" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.fr\\proof.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x204 [0036.033] GetTickCount () returned 0x1143850 [0036.033] GetTickCount () returned 0x1143850 [0036.033] GetTickCount () returned 0x1143850 [0036.033] GetTickCount () returned 0x1143850 [0036.033] CryptEncrypt (in: hKey=0x4ff5a8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d8ecf8*, pdwDataLen=0x2d8eda8*=0x2c, dwBufLen=0x80 | out: pbData=0x2d8ecf8*, pdwDataLen=0x2d8eda8*=0x80) returned 1 [0036.033] GetProcessHeap () returned 0x4e0000 [0036.033] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x2800) returned 0x5054e0 [0036.033] ReadFile (in: hFile=0x204, lpBuffer=0x5054e0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2d8edac, lpOverlapped=0x0 | out: lpBuffer=0x5054e0*, lpNumberOfBytesRead=0x2d8edac*=0x5b2, lpOverlapped=0x0) returned 1 [0036.037] SetFilePointerEx (in: hFile=0x204, liDistanceToMove=0xfffffa4e, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0036.037] WriteFile (in: hFile=0x204, lpBuffer=0x5054e0*, nNumberOfBytesToWrite=0x5b2, lpNumberOfBytesWritten=0x2d8edac, lpOverlapped=0x0 | out: lpBuffer=0x5054e0*, lpNumberOfBytesWritten=0x2d8edac*=0x5b2, lpOverlapped=0x0) returned 1 [0036.037] GetProcessHeap () returned 0x4e0000 [0036.037] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x5054e0 | out: hHeap=0x4e0000) returned 1 [0036.037] SetFilePointerEx (in: hFile=0x204, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0036.037] WriteFile (in: hFile=0x204, lpBuffer=0x4ffe10*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x2d8edac, lpOverlapped=0x0 | out: lpBuffer=0x4ffe10*, lpNumberOfBytesWritten=0x2d8edac*=0x300, lpOverlapped=0x0) returned 1 [0036.037] WriteFile (in: hFile=0x204, lpBuffer=0x2d8ecf8*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x2d8edac, lpOverlapped=0x0 | out: lpBuffer=0x2d8ecf8*, lpNumberOfBytesWritten=0x2d8edac*=0x80, lpOverlapped=0x0) returned 1 [0036.037] WriteFile (in: hFile=0x204, lpBuffer=0x186230*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2d8edac, lpOverlapped=0x0 | out: lpBuffer=0x186230*, lpNumberOfBytesWritten=0x2d8edac*=0x4, lpOverlapped=0x0) returned 1 [0036.037] CloseHandle (hObject=0x204) returned 1 [0036.039] GetProcessHeap () returned 0x4e0000 [0036.039] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x400) returned 0x5354c0 [0036.039] wnsprintfW (in: pszDest=0x5354c0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.xml_forv_{KNUJ5K}.for") returned 103 [0036.039] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.xml" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.fr\\proof.xml"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.xml_forv_{KNUJ5K}.for" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.fr\\proof.xml_forv_{knuj5k}.for")) returned 1 [0036.041] GetProcessHeap () returned 0x4e0000 [0036.041] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x5354c0 | out: hHeap=0x4e0000) returned 1 [0036.041] FindNextFileW (in: hFindFile=0x535b60, lpFindFileData=0x2d8ede8 | out: lpFindFileData=0x2d8ede8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x43f88c00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x43f88c00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xf2bd90c0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x5b2, dwReserved0=0x0, dwReserved1=0x0, cFileName="Proof.xml", cAlternateFileName="")) returned 0 [0036.041] FindClose (in: hFindFile=0x535b60 | out: hFindFile=0x535b60) returned 1 [0036.041] wnsprintfW (in: pszDest=0x5350b8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 107 [0036.041] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.fr\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x208 [0036.042] WriteFile (in: hFile=0x208, lpBuffer=0x186440*, nNumberOfBytesToWrite=0x2b0, lpNumberOfBytesWritten=0x2d8edb4, lpOverlapped=0x0 | out: lpBuffer=0x186440*, lpNumberOfBytesWritten=0x2d8edb4*=0x2b0, lpOverlapped=0x0) returned 1 [0036.043] CloseHandle (hObject=0x208) returned 1 [0036.043] GetProcessHeap () returned 0x4e0000 [0036.043] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x5350b8 | out: hHeap=0x4e0000) returned 1 [0036.043] FindNextFileW (in: hFindFile=0x535b20, lpFindFileData=0x2d8f070 | out: lpFindFileData=0x2d8f070*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x40650500, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x40650500, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xf0126df0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0xd4200, dwReserved0=0x0, dwReserved1=0x0, cFileName="Proofing.msi", cAlternateFileName="")) returned 1 [0036.043] lstrcmpiW (lpString1="Proofing.msi", lpString2="Windows") returned -1 [0036.043] lstrcmpiW (lpString1="Proofing.msi", lpString2="$Recycle.bin") returned 1 [0036.043] lstrcmpiW (lpString1="Proofing.msi", lpString2="System Volume Information") returned -1 [0036.043] lstrcmpiW (lpString1="Proofing.msi", lpString2="Program Files") returned 1 [0036.043] lstrcmpiW (lpString1="Proofing.msi", lpString2="Program Files (x86)") returned 1 [0036.043] wnsprintfW (in: pszDest=0x5306d0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.msi") returned 79 [0036.043] StrStrIW (lpFirst="Proofing.msi", lpSrch=".for") returned 0x0 [0036.043] lstrcmpW (lpString1="Proofing.msi", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0036.043] lstrcmpW (lpString1="Proofing.msi", lpString2="taridd") returned -1 [0036.043] StrCmpNW (lpStr1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.msi", lpStr2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\3pRMMVYZl7L6YCH05Qf1aBB2Nvhrv3", nChar=122) returned -1 [0036.043] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.msi" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proofing.msi"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x208 [0036.044] GetTickCount () returned 0x114385f [0036.044] GetTickCount () returned 0x114385f [0036.044] GetTickCount () returned 0x114385f [0036.044] GetTickCount () returned 0x114385f [0036.044] CryptEncrypt (in: hKey=0x4ff5a8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d8ef80*, pdwDataLen=0x2d8f030*=0x2c, dwBufLen=0x80 | out: pbData=0x2d8ef80*, pdwDataLen=0x2d8f030*=0x80) returned 1 [0036.044] GetProcessHeap () returned 0x4e0000 [0036.044] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x2800) returned 0x5044d8 [0036.044] ReadFile (in: hFile=0x208, lpBuffer=0x5044d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x5044d8*, lpNumberOfBytesRead=0x2d8f034*=0x2800, lpOverlapped=0x0) returned 1 [0036.052] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0036.052] WriteFile (in: hFile=0x208, lpBuffer=0x5044d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x5044d8*, lpNumberOfBytesWritten=0x2d8f034*=0x2800, lpOverlapped=0x0) returned 1 [0036.052] GetProcessHeap () returned 0x4e0000 [0036.052] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x5044d8 | out: hHeap=0x4e0000) returned 1 [0036.052] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0036.053] WriteFile (in: hFile=0x208, lpBuffer=0x4ffe10*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x4ffe10*, lpNumberOfBytesWritten=0x2d8f034*=0x300, lpOverlapped=0x0) returned 1 [0036.056] WriteFile (in: hFile=0x208, lpBuffer=0x2d8ef80*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x2d8ef80*, lpNumberOfBytesWritten=0x2d8f034*=0x80, lpOverlapped=0x0) returned 1 [0036.056] WriteFile (in: hFile=0x208, lpBuffer=0x186230*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x186230*, lpNumberOfBytesWritten=0x2d8f034*=0x4, lpOverlapped=0x0) returned 1 [0036.056] CloseHandle (hObject=0x208) returned 1 [0036.067] GetProcessHeap () returned 0x4e0000 [0036.067] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x400) returned 0x5350b8 [0036.067] wnsprintfW (in: pszDest=0x5350b8, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.msi_forv_{KNUJ5K}.for") returned 97 [0036.067] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.msi" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proofing.msi"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.msi_forv_{KNUJ5K}.for" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proofing.msi_forv_{knuj5k}.for")) returned 1 [0036.068] GetProcessHeap () returned 0x4e0000 [0036.068] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x5350b8 | out: hHeap=0x4e0000) returned 1 [0036.068] FindNextFileW (in: hFindFile=0x535b20, lpFindFileData=0x2d8f070 | out: lpFindFileData=0x2d8f070*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x4529b900, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x4529b900, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xf00db300, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x32b, dwReserved0=0x0, dwReserved1=0x0, cFileName="Proofing.xml", cAlternateFileName="")) returned 1 [0036.068] lstrcmpiW (lpString1="Proofing.xml", lpString2="Windows") returned -1 [0036.068] lstrcmpiW (lpString1="Proofing.xml", lpString2="$Recycle.bin") returned 1 [0036.068] lstrcmpiW (lpString1="Proofing.xml", lpString2="System Volume Information") returned -1 [0036.068] lstrcmpiW (lpString1="Proofing.xml", lpString2="Program Files") returned 1 [0036.068] lstrcmpiW (lpString1="Proofing.xml", lpString2="Program Files (x86)") returned 1 [0036.068] wnsprintfW (in: pszDest=0x5306d0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml") returned 79 [0036.068] StrStrIW (lpFirst="Proofing.xml", lpSrch=".for") returned 0x0 [0036.068] lstrcmpW (lpString1="Proofing.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0036.068] lstrcmpW (lpString1="Proofing.xml", lpString2="taridd") returned -1 [0036.068] StrCmpNW (lpStr1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml", lpStr2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\3pRMMVYZl7L6YCH05Qf1aBB2Nvhrv3", nChar=122) returned -1 [0036.068] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proofing.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x208 [0036.069] GetTickCount () returned 0x114387f [0036.069] GetTickCount () returned 0x114387f [0036.069] GetTickCount () returned 0x114387f [0036.069] GetTickCount () returned 0x114387f [0036.069] CryptEncrypt (in: hKey=0x4ff5a8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d8ef80*, pdwDataLen=0x2d8f030*=0x2c, dwBufLen=0x80 | out: pbData=0x2d8ef80*, pdwDataLen=0x2d8f030*=0x80) returned 1 [0036.069] GetProcessHeap () returned 0x4e0000 [0036.069] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x2800) returned 0x5044d8 [0036.069] ReadFile (in: hFile=0x208, lpBuffer=0x5044d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x5044d8*, lpNumberOfBytesRead=0x2d8f034*=0x32b, lpOverlapped=0x0) returned 1 [0036.070] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0xfffffcd5, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0036.070] WriteFile (in: hFile=0x208, lpBuffer=0x5044d8*, nNumberOfBytesToWrite=0x32b, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x5044d8*, lpNumberOfBytesWritten=0x2d8f034*=0x32b, lpOverlapped=0x0) returned 1 [0036.070] GetProcessHeap () returned 0x4e0000 [0036.070] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x5044d8 | out: hHeap=0x4e0000) returned 1 [0036.070] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0036.071] WriteFile (in: hFile=0x208, lpBuffer=0x4ffe10*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x4ffe10*, lpNumberOfBytesWritten=0x2d8f034*=0x300, lpOverlapped=0x0) returned 1 [0036.071] WriteFile (in: hFile=0x208, lpBuffer=0x2d8ef80*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x2d8ef80*, lpNumberOfBytesWritten=0x2d8f034*=0x80, lpOverlapped=0x0) returned 1 [0036.071] WriteFile (in: hFile=0x208, lpBuffer=0x186230*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x186230*, lpNumberOfBytesWritten=0x2d8f034*=0x4, lpOverlapped=0x0) returned 1 [0036.071] CloseHandle (hObject=0x208) returned 1 [0036.071] GetProcessHeap () returned 0x4e0000 [0036.071] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x400) returned 0x5350b8 [0036.071] wnsprintfW (in: pszDest=0x5350b8, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml_forv_{KNUJ5K}.for") returned 97 [0036.071] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proofing.xml"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml_forv_{KNUJ5K}.for" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proofing.xml_forv_{knuj5k}.for")) returned 1 [0036.072] GetProcessHeap () returned 0x4e0000 [0036.072] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x5350b8 | out: hHeap=0x4e0000) returned 1 [0036.072] FindNextFileW (in: hFindFile=0x535b20, lpFindFileData=0x2d8f070 | out: lpFindFileData=0x2d8f070*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x42c75f00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x42c75f00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xf58c6830, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x16fc, dwReserved0=0x0, dwReserved1=0x0, cFileName="Setup.xml", cAlternateFileName="")) returned 1 [0036.072] lstrcmpiW (lpString1="Setup.xml", lpString2="Windows") returned -1 [0036.072] lstrcmpiW (lpString1="Setup.xml", lpString2="$Recycle.bin") returned 1 [0036.072] lstrcmpiW (lpString1="Setup.xml", lpString2="System Volume Information") returned -1 [0036.072] lstrcmpiW (lpString1="Setup.xml", lpString2="Program Files") returned 1 [0036.072] lstrcmpiW (lpString1="Setup.xml", lpString2="Program Files (x86)") returned 1 [0036.072] wnsprintfW (in: pszDest=0x5306d0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 76 [0036.072] StrStrIW (lpFirst="Setup.xml", lpSrch=".for") returned 0x0 [0036.072] lstrcmpW (lpString1="Setup.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0036.072] lstrcmpW (lpString1="Setup.xml", lpString2="taridd") returned -1 [0036.072] StrCmpNW (lpStr1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml", lpStr2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\3pRMMVYZl7L6YCH05Qf1aBB2Nvhrv3", nChar=122) returned -1 [0036.072] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x208 [0036.072] GetTickCount () returned 0x114387f [0036.072] GetTickCount () returned 0x114387f [0036.072] GetTickCount () returned 0x114387f [0036.072] GetTickCount () returned 0x114387f [0036.072] CryptEncrypt (in: hKey=0x4ff5a8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d8ef80*, pdwDataLen=0x2d8f030*=0x2c, dwBufLen=0x80 | out: pbData=0x2d8ef80*, pdwDataLen=0x2d8f030*=0x80) returned 1 [0036.073] GetProcessHeap () returned 0x4e0000 [0036.073] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x2800) returned 0x5044d8 [0036.073] ReadFile (in: hFile=0x208, lpBuffer=0x5044d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x5044d8*, lpNumberOfBytesRead=0x2d8f034*=0x16fc, lpOverlapped=0x0) returned 1 [0036.074] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0xffffe904, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0036.074] WriteFile (in: hFile=0x208, lpBuffer=0x5044d8*, nNumberOfBytesToWrite=0x16fc, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x5044d8*, lpNumberOfBytesWritten=0x2d8f034*=0x16fc, lpOverlapped=0x0) returned 1 [0036.074] GetProcessHeap () returned 0x4e0000 [0036.074] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x5044d8 | out: hHeap=0x4e0000) returned 1 [0036.074] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0036.074] WriteFile (in: hFile=0x208, lpBuffer=0x4ffe10*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x4ffe10*, lpNumberOfBytesWritten=0x2d8f034*=0x300, lpOverlapped=0x0) returned 1 [0036.074] WriteFile (in: hFile=0x208, lpBuffer=0x2d8ef80*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x2d8ef80*, lpNumberOfBytesWritten=0x2d8f034*=0x80, lpOverlapped=0x0) returned 1 [0036.074] WriteFile (in: hFile=0x208, lpBuffer=0x186230*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x186230*, lpNumberOfBytesWritten=0x2d8f034*=0x4, lpOverlapped=0x0) returned 1 [0036.075] CloseHandle (hObject=0x208) returned 1 [0036.075] GetProcessHeap () returned 0x4e0000 [0036.075] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x400) returned 0x5350b8 [0036.075] wnsprintfW (in: pszDest=0x5350b8, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml_forv_{KNUJ5K}.for") returned 94 [0036.075] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\setup.xml"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml_forv_{KNUJ5K}.for" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\setup.xml_forv_{knuj5k}.for")) returned 1 [0036.076] GetProcessHeap () returned 0x4e0000 [0036.076] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x5350b8 | out: hHeap=0x4e0000) returned 1 [0036.076] FindNextFileW (in: hFindFile=0x535b20, lpFindFileData=0x2d8f070 | out: lpFindFileData=0x2d8f070*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x42c75f00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x42c75f00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xf58c6830, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x16fc, dwReserved0=0x0, dwReserved1=0x0, cFileName="Setup.xml", cAlternateFileName="")) returned 0 [0036.076] FindClose (in: hFindFile=0x535b20 | out: hFindFile=0x535b20) returned 1 [0036.076] wnsprintfW (in: pszDest=0x5306d0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 98 [0036.076] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x150 [0036.076] WriteFile (in: hFile=0x150, lpBuffer=0x186440*, nNumberOfBytesToWrite=0x2b0, lpNumberOfBytesWritten=0x2d8f03c, lpOverlapped=0x0 | out: lpBuffer=0x186440*, lpNumberOfBytesWritten=0x2d8f03c*=0x2b0, lpOverlapped=0x0) returned 1 [0036.077] CloseHandle (hObject=0x150) returned 1 [0036.077] GetProcessHeap () returned 0x4e0000 [0036.077] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x5306d0 | out: hHeap=0x4e0000) returned 1 [0036.077] FindNextFileW (in: hFindFile=0x535ae0, lpFindFileData=0x2d8f2f8 | out: lpFindFileData=0x2d8f2f8*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xfc138cb0, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xfc3e6570, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xfc3e6570, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="{90140000-0043-0409-1000-0000000FF1CE}-C", cAlternateFileName="{95310~1")) returned 1 [0036.077] lstrcmpiW (lpString1="{90140000-0043-0409-1000-0000000FF1CE}-C", lpString2="Windows") returned -1 [0036.077] lstrcmpiW (lpString1="{90140000-0043-0409-1000-0000000FF1CE}-C", lpString2="$Recycle.bin") returned 1 [0036.077] lstrcmpiW (lpString1="{90140000-0043-0409-1000-0000000FF1CE}-C", lpString2="System Volume Information") returned -1 [0036.077] lstrcmpiW (lpString1="{90140000-0043-0409-1000-0000000FF1CE}-C", lpString2="Program Files") returned -1 [0036.077] lstrcmpiW (lpString1="{90140000-0043-0409-1000-0000000FF1CE}-C", lpString2="Program Files (x86)") returned -1 [0036.077] wnsprintfW (in: pszDest=0x542af8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C") returned 66 [0036.077] lstrcmpW (lpString1="{90140000-0043-0409-1000-0000000FF1CE}-C", lpString2=".") returned 1 [0036.077] lstrcmpW (lpString1="{90140000-0043-0409-1000-0000000FF1CE}-C", lpString2="..") returned 1 [0036.078] lstrcmpW (lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0036.078] GetProcessHeap () returned 0x4e0000 [0036.078] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x400) returned 0x5306d0 [0036.078] wnsprintfW (in: pszDest=0x5306d0, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\*") returned 68 [0036.078] FindFirstFileW (in: lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\*", lpFindFileData=0x2d8f070 | out: lpFindFileData=0x2d8f070*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xfc138cb0, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xfc3e6570, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xfc3e6570, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x535b20 [0036.083] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0036.083] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0036.083] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0036.083] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0036.083] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0036.083] wnsprintfW (in: pszDest=0x5306d0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\.") returned 68 [0036.083] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0036.083] StrStrIW (lpFirst=".", lpSrch=".for") returned 0x0 [0036.083] lstrcmpW (lpString1=".", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned -1 [0036.084] lstrcmpW (lpString1=".", lpString2="taridd") returned -1 [0036.084] StrCmpNW (lpStr1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\.", lpStr2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\3pRMMVYZl7L6YCH05Qf1aBB2Nvhrv3", nChar=122) returned -1 [0036.084] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\." (normalized: "c:\\msocache\\all users\\{90140000-0043-0409-1000-0000000ff1ce}-c\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0036.084] FindNextFileW (in: hFindFile=0x535b20, lpFindFileData=0x2d8f070 | out: lpFindFileData=0x2d8f070*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xfc138cb0, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xfc3e6570, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xfc3e6570, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0036.084] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0036.084] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0036.084] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0036.084] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0036.084] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0036.084] wnsprintfW (in: pszDest=0x5306d0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\..") returned 69 [0036.084] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0036.084] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0036.084] StrStrIW (lpFirst="..", lpSrch=".for") returned 0x0 [0036.084] lstrcmpW (lpString1="..", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned -1 [0036.084] lstrcmpW (lpString1="..", lpString2="taridd") returned -1 [0036.084] StrCmpNW (lpStr1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\..", lpStr2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\3pRMMVYZl7L6YCH05Qf1aBB2Nvhrv3", nChar=122) returned -1 [0036.084] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\.." (normalized: "c:\\msocache\\all users"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0036.084] FindNextFileW (in: hFindFile=0x535b20, lpFindFileData=0x2d8f070 | out: lpFindFileData=0x2d8f070*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x3f33d800, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x3f33d800, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xfc138cb0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0xd5600, dwReserved0=0x0, dwReserved1=0x0, cFileName="Office32MUI.msi", cAlternateFileName="OFFICE~1.MSI")) returned 1 [0036.084] lstrcmpiW (lpString1="Office32MUI.msi", lpString2="Windows") returned -1 [0036.084] lstrcmpiW (lpString1="Office32MUI.msi", lpString2="$Recycle.bin") returned 1 [0036.084] lstrcmpiW (lpString1="Office32MUI.msi", lpString2="System Volume Information") returned -1 [0036.084] lstrcmpiW (lpString1="Office32MUI.msi", lpString2="Program Files") returned -1 [0036.084] lstrcmpiW (lpString1="Office32MUI.msi", lpString2="Program Files (x86)") returned -1 [0036.084] wnsprintfW (in: pszDest=0x5306d0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.msi") returned 82 [0036.084] StrStrIW (lpFirst="Office32MUI.msi", lpSrch=".for") returned 0x0 [0036.084] lstrcmpW (lpString1="Office32MUI.msi", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0036.084] lstrcmpW (lpString1="Office32MUI.msi", lpString2="taridd") returned -1 [0036.084] StrCmpNW (lpStr1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.msi", lpStr2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\3pRMMVYZl7L6YCH05Qf1aBB2Nvhrv3", nChar=122) returned -1 [0036.084] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-0043-0409-1000-0000000ff1ce}-c\\office32mui.msi"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x208 [0036.085] GetTickCount () returned 0x114388e [0036.085] GetTickCount () returned 0x114388e [0036.085] GetTickCount () returned 0x114388e [0036.085] GetTickCount () returned 0x114388e [0036.085] CryptEncrypt (in: hKey=0x4ff5a8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d8ef80*, pdwDataLen=0x2d8f030*=0x2c, dwBufLen=0x80 | out: pbData=0x2d8ef80*, pdwDataLen=0x2d8f030*=0x80) returned 1 [0036.085] GetProcessHeap () returned 0x4e0000 [0036.085] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x2800) returned 0x5044d8 [0036.085] ReadFile (in: hFile=0x208, lpBuffer=0x5044d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x5044d8*, lpNumberOfBytesRead=0x2d8f034*=0x2800, lpOverlapped=0x0) returned 1 [0036.087] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0036.087] WriteFile (in: hFile=0x208, lpBuffer=0x5044d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x5044d8*, lpNumberOfBytesWritten=0x2d8f034*=0x2800, lpOverlapped=0x0) returned 1 [0036.088] GetProcessHeap () returned 0x4e0000 [0036.088] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x5044d8 | out: hHeap=0x4e0000) returned 1 [0036.088] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0036.088] WriteFile (in: hFile=0x208, lpBuffer=0x4ffe10*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x4ffe10*, lpNumberOfBytesWritten=0x2d8f034*=0x300, lpOverlapped=0x0) returned 1 [0036.089] WriteFile (in: hFile=0x208, lpBuffer=0x2d8ef80*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x2d8ef80*, lpNumberOfBytesWritten=0x2d8f034*=0x80, lpOverlapped=0x0) returned 1 [0036.089] WriteFile (in: hFile=0x208, lpBuffer=0x186230*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x186230*, lpNumberOfBytesWritten=0x2d8f034*=0x4, lpOverlapped=0x0) returned 1 [0036.089] CloseHandle (hObject=0x208) returned 1 [0036.099] GetProcessHeap () returned 0x4e0000 [0036.099] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x400) returned 0x5350b8 [0036.099] wnsprintfW (in: pszDest=0x5350b8, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.msi_forv_{KNUJ5K}.for") returned 100 [0036.099] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-0043-0409-1000-0000000ff1ce}-c\\office32mui.msi"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.msi_forv_{KNUJ5K}.for" (normalized: "c:\\msocache\\all users\\{90140000-0043-0409-1000-0000000ff1ce}-c\\office32mui.msi_forv_{knuj5k}.for")) returned 1 [0036.100] GetProcessHeap () returned 0x4e0000 [0036.100] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x5350b8 | out: hHeap=0x4e0000) returned 1 [0036.100] FindNextFileW (in: hFindFile=0x535b20, lpFindFileData=0x2d8f070 | out: lpFindFileData=0x2d8f070*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x4529b900, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x4529b900, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xfc138cb0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x567, dwReserved0=0x0, dwReserved1=0x0, cFileName="Office32MUI.xml", cAlternateFileName="OFFICE~1.XML")) returned 1 [0036.100] lstrcmpiW (lpString1="Office32MUI.xml", lpString2="Windows") returned -1 [0036.100] lstrcmpiW (lpString1="Office32MUI.xml", lpString2="$Recycle.bin") returned 1 [0036.100] lstrcmpiW (lpString1="Office32MUI.xml", lpString2="System Volume Information") returned -1 [0036.100] lstrcmpiW (lpString1="Office32MUI.xml", lpString2="Program Files") returned -1 [0036.100] lstrcmpiW (lpString1="Office32MUI.xml", lpString2="Program Files (x86)") returned -1 [0036.100] wnsprintfW (in: pszDest=0x5306d0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml") returned 82 [0036.100] StrStrIW (lpFirst="Office32MUI.xml", lpSrch=".for") returned 0x0 [0036.100] lstrcmpW (lpString1="Office32MUI.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0036.100] lstrcmpW (lpString1="Office32MUI.xml", lpString2="taridd") returned -1 [0036.100] StrCmpNW (lpStr1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml", lpStr2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\3pRMMVYZl7L6YCH05Qf1aBB2Nvhrv3", nChar=122) returned -1 [0036.100] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0043-0409-1000-0000000ff1ce}-c\\office32mui.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x208 [0036.100] GetTickCount () returned 0x114389e [0036.100] GetTickCount () returned 0x114389e [0036.100] GetTickCount () returned 0x114389e [0036.100] GetTickCount () returned 0x114389e [0036.100] CryptEncrypt (in: hKey=0x4ff5a8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d8ef80*, pdwDataLen=0x2d8f030*=0x2c, dwBufLen=0x80 | out: pbData=0x2d8ef80*, pdwDataLen=0x2d8f030*=0x80) returned 1 [0036.100] GetProcessHeap () returned 0x4e0000 [0036.101] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x2800) returned 0x5044d8 [0036.101] ReadFile (in: hFile=0x208, lpBuffer=0x5044d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x5044d8*, lpNumberOfBytesRead=0x2d8f034*=0x567, lpOverlapped=0x0) returned 1 [0036.102] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0xfffffa99, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0036.102] WriteFile (in: hFile=0x208, lpBuffer=0x5044d8*, nNumberOfBytesToWrite=0x567, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x5044d8*, lpNumberOfBytesWritten=0x2d8f034*=0x567, lpOverlapped=0x0) returned 1 [0036.102] GetProcessHeap () returned 0x4e0000 [0036.102] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x5044d8 | out: hHeap=0x4e0000) returned 1 [0036.102] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0036.102] WriteFile (in: hFile=0x208, lpBuffer=0x4ffe10*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x4ffe10*, lpNumberOfBytesWritten=0x2d8f034*=0x300, lpOverlapped=0x0) returned 1 [0036.102] WriteFile (in: hFile=0x208, lpBuffer=0x2d8ef80*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x2d8ef80*, lpNumberOfBytesWritten=0x2d8f034*=0x80, lpOverlapped=0x0) returned 1 [0036.102] WriteFile (in: hFile=0x208, lpBuffer=0x186230*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x186230*, lpNumberOfBytesWritten=0x2d8f034*=0x4, lpOverlapped=0x0) returned 1 [0036.103] CloseHandle (hObject=0x208) returned 1 [0036.103] GetProcessHeap () returned 0x4e0000 [0036.103] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x400) returned 0x5350b8 [0036.103] wnsprintfW (in: pszDest=0x5350b8, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml_forv_{KNUJ5K}.for") returned 100 [0036.103] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0043-0409-1000-0000000ff1ce}-c\\office32mui.xml"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml_forv_{KNUJ5K}.for" (normalized: "c:\\msocache\\all users\\{90140000-0043-0409-1000-0000000ff1ce}-c\\office32mui.xml_forv_{knuj5k}.for")) returned 1 [0036.104] GetProcessHeap () returned 0x4e0000 [0036.104] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x5350b8 | out: hHeap=0x4e0000) returned 1 [0036.104] FindNextFileW (in: hFindFile=0x535b20, lpFindFileData=0x2d8f070 | out: lpFindFileData=0x2d8f070*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x3e02ab00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x3e02ab00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xfc301560, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x2cb13b, dwReserved0=0x0, dwReserved1=0x0, cFileName="OWOW32LR.cab", cAlternateFileName="")) returned 1 [0036.104] lstrcmpiW (lpString1="OWOW32LR.cab", lpString2="Windows") returned -1 [0036.104] lstrcmpiW (lpString1="OWOW32LR.cab", lpString2="$Recycle.bin") returned 1 [0036.104] lstrcmpiW (lpString1="OWOW32LR.cab", lpString2="System Volume Information") returned -1 [0036.104] lstrcmpiW (lpString1="OWOW32LR.cab", lpString2="Program Files") returned -1 [0036.104] lstrcmpiW (lpString1="OWOW32LR.cab", lpString2="Program Files (x86)") returned -1 [0036.104] wnsprintfW (in: pszDest=0x5306d0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab") returned 79 [0036.104] StrStrIW (lpFirst="OWOW32LR.cab", lpSrch=".for") returned 0x0 [0036.104] lstrcmpW (lpString1="OWOW32LR.cab", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0036.104] lstrcmpW (lpString1="OWOW32LR.cab", lpString2="taridd") returned -1 [0036.104] StrCmpNW (lpStr1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab", lpStr2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\3pRMMVYZl7L6YCH05Qf1aBB2Nvhrv3", nChar=122) returned -1 [0036.104] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab" (normalized: "c:\\msocache\\all users\\{90140000-0043-0409-1000-0000000ff1ce}-c\\owow32lr.cab"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x208 [0036.104] GetTickCount () returned 0x114389e [0036.104] GetTickCount () returned 0x114389e [0036.104] GetTickCount () returned 0x114389e [0036.104] GetTickCount () returned 0x114389e [0036.104] CryptEncrypt (in: hKey=0x4ff5a8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d8ef80*, pdwDataLen=0x2d8f030*=0x2c, dwBufLen=0x80 | out: pbData=0x2d8ef80*, pdwDataLen=0x2d8f030*=0x80) returned 1 [0036.104] GetProcessHeap () returned 0x4e0000 [0036.104] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x2800) returned 0x5044d8 [0036.104] ReadFile (in: hFile=0x208, lpBuffer=0x5044d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x5044d8*, lpNumberOfBytesRead=0x2d8f034*=0x2800, lpOverlapped=0x0) returned 1 [0036.110] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0036.110] WriteFile (in: hFile=0x208, lpBuffer=0x5044d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x5044d8*, lpNumberOfBytesWritten=0x2d8f034*=0x2800, lpOverlapped=0x0) returned 1 [0036.111] GetProcessHeap () returned 0x4e0000 [0036.111] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x5044d8 | out: hHeap=0x4e0000) returned 1 [0036.111] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0036.111] WriteFile (in: hFile=0x208, lpBuffer=0x4ffe10*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x4ffe10*, lpNumberOfBytesWritten=0x2d8f034*=0x300, lpOverlapped=0x0) returned 1 [0036.144] WriteFile (in: hFile=0x208, lpBuffer=0x2d8ef80*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x2d8ef80*, lpNumberOfBytesWritten=0x2d8f034*=0x80, lpOverlapped=0x0) returned 1 [0036.144] WriteFile (in: hFile=0x208, lpBuffer=0x186230*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x186230*, lpNumberOfBytesWritten=0x2d8f034*=0x4, lpOverlapped=0x0) returned 1 [0036.144] CloseHandle (hObject=0x208) returned 1 [0036.216] GetProcessHeap () returned 0x4e0000 [0036.217] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x400) returned 0x5350b8 [0036.392] wnsprintfW (in: pszDest=0x5350b8, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab_forv_{KNUJ5K}.for") returned 97 [0036.396] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab" (normalized: "c:\\msocache\\all users\\{90140000-0043-0409-1000-0000000ff1ce}-c\\owow32lr.cab"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab_forv_{KNUJ5K}.for" (normalized: "c:\\msocache\\all users\\{90140000-0043-0409-1000-0000000ff1ce}-c\\owow32lr.cab_forv_{knuj5k}.for")) returned 1 [0036.426] GetProcessHeap () returned 0x4e0000 [0036.427] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x5350b8 | out: hHeap=0x4e0000) returned 1 [0036.429] FindNextFileW (in: hFindFile=0x535b20, lpFindFileData=0x2d8f070 | out: lpFindFileData=0x2d8f070*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x43f88c00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x43f88c00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xfc3e4630, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x93a, dwReserved0=0x0, dwReserved1=0x0, cFileName="Setup.xml", cAlternateFileName="")) returned 1 [0036.432] lstrcmpiW (lpString1="Setup.xml", lpString2="Windows") returned -1 [0036.433] lstrcmpiW (lpString1="Setup.xml", lpString2="$Recycle.bin") returned 1 [0036.435] lstrcmpiW (lpString1="Setup.xml", lpString2="System Volume Information") returned -1 [0036.437] lstrcmpiW (lpString1="Setup.xml", lpString2="Program Files") returned 1 [0036.438] lstrcmpiW (lpString1="Setup.xml", lpString2="Program Files (x86)") returned 1 [0036.442] wnsprintfW (in: pszDest=0x5306d0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 76 [0036.444] StrStrIW (lpFirst="Setup.xml", lpSrch=".for") returned 0x0 [0036.445] lstrcmpW (lpString1="Setup.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0036.446] lstrcmpW (lpString1="Setup.xml", lpString2="taridd") returned -1 [0036.451] StrCmpNW (lpStr1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml", lpStr2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\3pRMMVYZl7L6YCH05Qf1aBB2Nvhrv3", nChar=122) returned -1 [0036.453] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0043-0409-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x208 [0036.460] GetTickCount () returned 0x1143a05 [0036.461] GetTickCount () returned 0x1143a05 [0036.463] GetTickCount () returned 0x1143a05 [0036.464] GetTickCount () returned 0x1143a05 [0036.466] CryptEncrypt (in: hKey=0x4ff5a8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d8ef80*, pdwDataLen=0x2d8f030*=0x2c, dwBufLen=0x80 | out: pbData=0x2d8ef80*, pdwDataLen=0x2d8f030*=0x80) returned 1 [0036.472] GetProcessHeap () returned 0x4e0000 [0036.475] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x2800) returned 0x5044d8 [0036.478] ReadFile (in: hFile=0x208, lpBuffer=0x5044d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x5044d8*, lpNumberOfBytesRead=0x2d8f034*=0x93a, lpOverlapped=0x0) returned 1 [0036.502] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0xfffff6c6, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0036.505] WriteFile (in: hFile=0x208, lpBuffer=0x5044d8*, nNumberOfBytesToWrite=0x93a, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x5044d8*, lpNumberOfBytesWritten=0x2d8f034*=0x93a, lpOverlapped=0x0) returned 1 [0036.510] GetProcessHeap () returned 0x4e0000 [0036.511] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x5044d8 | out: hHeap=0x4e0000) returned 1 [0036.514] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0036.517] WriteFile (in: hFile=0x208, lpBuffer=0x4ffe10*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x4ffe10*, lpNumberOfBytesWritten=0x2d8f034*=0x300, lpOverlapped=0x0) returned 1 [0036.523] WriteFile (in: hFile=0x208, lpBuffer=0x2d8ef80*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x2d8ef80*, lpNumberOfBytesWritten=0x2d8f034*=0x80, lpOverlapped=0x0) returned 1 [0036.527] WriteFile (in: hFile=0x208, lpBuffer=0x186230*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x186230*, lpNumberOfBytesWritten=0x2d8f034*=0x4, lpOverlapped=0x0) returned 1 [0036.533] CloseHandle (hObject=0x208) returned 1 [0036.561] GetProcessHeap () returned 0x4e0000 [0036.562] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x400) returned 0x5350b8 [0036.563] wnsprintfW (in: pszDest=0x5350b8, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml_forv_{KNUJ5K}.for") returned 94 [0036.565] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0043-0409-1000-0000000ff1ce}-c\\setup.xml"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml_forv_{KNUJ5K}.for" (normalized: "c:\\msocache\\all users\\{90140000-0043-0409-1000-0000000ff1ce}-c\\setup.xml_forv_{knuj5k}.for")) returned 1 [0036.934] GetProcessHeap () returned 0x4e0000 [0036.939] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x5350b8 | out: hHeap=0x4e0000) returned 1 [0036.940] FindNextFileW (in: hFindFile=0x535b20, lpFindFileData=0x2d8f070 | out: lpFindFileData=0x2d8f070*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x43f88c00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x43f88c00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xfc3e4630, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x93a, dwReserved0=0x0, dwReserved1=0x0, cFileName="Setup.xml", cAlternateFileName="")) returned 0 [0036.940] FindClose (in: hFindFile=0x535b20 | out: hFindFile=0x535b20) returned 1 [0036.940] wnsprintfW (in: pszDest=0x5306d0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 98 [0036.940] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\msocache\\all users\\{90140000-0043-0409-1000-0000000ff1ce}-c\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x150 [0036.940] WriteFile (in: hFile=0x150, lpBuffer=0x186440*, nNumberOfBytesToWrite=0x2b0, lpNumberOfBytesWritten=0x2d8f03c, lpOverlapped=0x0 | out: lpBuffer=0x186440*, lpNumberOfBytesWritten=0x2d8f03c*=0x2b0, lpOverlapped=0x0) returned 1 [0036.941] CloseHandle (hObject=0x150) returned 1 [0036.941] GetProcessHeap () returned 0x4e0000 [0036.941] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x5306d0 | out: hHeap=0x4e0000) returned 1 [0036.941] FindNextFileW (in: hFindFile=0x535ae0, lpFindFileData=0x2d8f2f8 | out: lpFindFileData=0x2d8f2f8*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xf6e34d70, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xfa13c510, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xfa13c510, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="{90140000-0044-0409-1000-0000000FF1CE}-C", cAlternateFileName="{91454~1")) returned 1 [0036.941] lstrcmpiW (lpString1="{90140000-0044-0409-1000-0000000FF1CE}-C", lpString2="Windows") returned -1 [0036.941] lstrcmpiW (lpString1="{90140000-0044-0409-1000-0000000FF1CE}-C", lpString2="$Recycle.bin") returned 1 [0036.941] lstrcmpiW (lpString1="{90140000-0044-0409-1000-0000000FF1CE}-C", lpString2="System Volume Information") returned -1 [0036.941] lstrcmpiW (lpString1="{90140000-0044-0409-1000-0000000FF1CE}-C", lpString2="Program Files") returned -1 [0036.941] lstrcmpiW (lpString1="{90140000-0044-0409-1000-0000000FF1CE}-C", lpString2="Program Files (x86)") returned -1 [0036.941] wnsprintfW (in: pszDest=0x542af8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C") returned 66 [0036.941] lstrcmpW (lpString1="{90140000-0044-0409-1000-0000000FF1CE}-C", lpString2=".") returned 1 [0036.941] lstrcmpW (lpString1="{90140000-0044-0409-1000-0000000FF1CE}-C", lpString2="..") returned 1 [0036.941] lstrcmpW (lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0036.942] GetProcessHeap () returned 0x4e0000 [0036.942] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x400) returned 0x5306d0 [0036.942] wnsprintfW (in: pszDest=0x5306d0, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\*") returned 68 [0036.942] FindFirstFileW (in: lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\*", lpFindFileData=0x2d8f070 | out: lpFindFileData=0x2d8f070*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xf6e34d70, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xfa13c510, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xfa13c510, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x535b20 [0037.056] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0037.056] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0037.056] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0037.056] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0037.056] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0037.056] wnsprintfW (in: pszDest=0x5306d0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\.") returned 68 [0037.056] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0037.056] StrStrIW (lpFirst=".", lpSrch=".for") returned 0x0 [0037.056] lstrcmpW (lpString1=".", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned -1 [0037.056] lstrcmpW (lpString1=".", lpString2="taridd") returned -1 [0037.056] StrCmpNW (lpStr1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\.", lpStr2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\3pRMMVYZl7L6YCH05Qf1aBB2Nvhrv3", nChar=122) returned -1 [0037.056] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\." (normalized: "c:\\msocache\\all users\\{90140000-0044-0409-1000-0000000ff1ce}-c\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0037.057] FindNextFileW (in: hFindFile=0x535b20, lpFindFileData=0x2d8f070 | out: lpFindFileData=0x2d8f070*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xf6e34d70, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xfa13c510, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xfa13c510, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0037.057] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0037.057] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0037.057] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0037.057] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0037.057] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0037.057] wnsprintfW (in: pszDest=0x5306d0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\..") returned 69 [0037.057] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0037.057] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0037.057] StrStrIW (lpFirst="..", lpSrch=".for") returned 0x0 [0037.057] lstrcmpW (lpString1="..", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned -1 [0037.057] lstrcmpW (lpString1="..", lpString2="taridd") returned -1 [0037.057] StrCmpNW (lpStr1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\..", lpStr2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\3pRMMVYZl7L6YCH05Qf1aBB2Nvhrv3", nChar=122) returned -1 [0037.057] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\.." (normalized: "c:\\msocache\\all users"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0037.057] FindNextFileW (in: hFindFile=0x535b20, lpFindFileData=0x2d8f070 | out: lpFindFileData=0x2d8f070*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xbd907a00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0xbd907a00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xf79111d0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x1200204, dwReserved0=0x0, dwReserved1=0x0, cFileName="InfLR.cab", cAlternateFileName="")) returned 1 [0037.057] lstrcmpiW (lpString1="InfLR.cab", lpString2="Windows") returned -1 [0037.057] lstrcmpiW (lpString1="InfLR.cab", lpString2="$Recycle.bin") returned 1 [0037.057] lstrcmpiW (lpString1="InfLR.cab", lpString2="System Volume Information") returned -1 [0037.057] lstrcmpiW (lpString1="InfLR.cab", lpString2="Program Files") returned -1 [0037.057] lstrcmpiW (lpString1="InfLR.cab", lpString2="Program Files (x86)") returned -1 [0037.057] wnsprintfW (in: pszDest=0x5306d0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab") returned 76 [0037.057] StrStrIW (lpFirst="InfLR.cab", lpSrch=".for") returned 0x0 [0037.057] lstrcmpW (lpString1="InfLR.cab", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0037.057] lstrcmpW (lpString1="InfLR.cab", lpString2="taridd") returned -1 [0037.057] StrCmpNW (lpStr1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab", lpStr2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\3pRMMVYZl7L6YCH05Qf1aBB2Nvhrv3", nChar=122) returned -1 [0037.057] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-0044-0409-1000-0000000ff1ce}-c\\inflr.cab"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x208 [0037.060] GetTickCount () returned 0x1143c55 [0037.060] GetTickCount () returned 0x1143c55 [0037.060] GetTickCount () returned 0x1143c55 [0037.060] GetTickCount () returned 0x1143c55 [0037.060] CryptEncrypt (in: hKey=0x4ff5a8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d8ef80*, pdwDataLen=0x2d8f030*=0x2c, dwBufLen=0x80 | out: pbData=0x2d8ef80*, pdwDataLen=0x2d8f030*=0x80) returned 1 [0037.060] GetProcessHeap () returned 0x4e0000 [0037.060] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x2800) returned 0x5044d8 [0037.060] ReadFile (in: hFile=0x208, lpBuffer=0x5044d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x5044d8*, lpNumberOfBytesRead=0x2d8f034*=0x2800, lpOverlapped=0x0) returned 1 [0037.063] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0037.063] WriteFile (in: hFile=0x208, lpBuffer=0x5044d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x5044d8*, lpNumberOfBytesWritten=0x2d8f034*=0x2800, lpOverlapped=0x0) returned 1 [0037.063] GetProcessHeap () returned 0x4e0000 [0037.063] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x5044d8 | out: hHeap=0x4e0000) returned 1 [0037.063] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0037.063] WriteFile (in: hFile=0x208, lpBuffer=0x4ffe10*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x4ffe10*, lpNumberOfBytesWritten=0x2d8f034*=0x300, lpOverlapped=0x0) returned 1 [0037.064] WriteFile (in: hFile=0x208, lpBuffer=0x2d8ef80*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x2d8ef80*, lpNumberOfBytesWritten=0x2d8f034*=0x80, lpOverlapped=0x0) returned 1 [0037.064] WriteFile (in: hFile=0x208, lpBuffer=0x186230*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x186230*, lpNumberOfBytesWritten=0x2d8f034*=0x4, lpOverlapped=0x0) returned 1 [0037.064] CloseHandle (hObject=0x208) returned 1 [0037.085] GetProcessHeap () returned 0x4e0000 [0037.085] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x400) returned 0x5350b8 [0037.085] wnsprintfW (in: pszDest=0x5350b8, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab_forv_{KNUJ5K}.for") returned 94 [0037.085] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-0044-0409-1000-0000000ff1ce}-c\\inflr.cab"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab_forv_{KNUJ5K}.for" (normalized: "c:\\msocache\\all users\\{90140000-0044-0409-1000-0000000ff1ce}-c\\inflr.cab_forv_{knuj5k}.for")) returned 1 [0037.085] GetProcessHeap () returned 0x4e0000 [0037.085] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x5350b8 | out: hHeap=0x4e0000) returned 1 [0037.085] FindNextFileW (in: hFindFile=0x535b20, lpFindFileData=0x2d8f070 | out: lpFindFileData=0x2d8f070*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xbd907a00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0xbd907a00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xf6e58f90, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x2fac00, dwReserved0=0x0, dwReserved1=0x0, cFileName="InfoPathMUI.msi", cAlternateFileName="INFOPA~1.MSI")) returned 1 [0037.085] lstrcmpiW (lpString1="InfoPathMUI.msi", lpString2="Windows") returned -1 [0037.085] lstrcmpiW (lpString1="InfoPathMUI.msi", lpString2="$Recycle.bin") returned 1 [0037.085] lstrcmpiW (lpString1="InfoPathMUI.msi", lpString2="System Volume Information") returned -1 [0037.085] lstrcmpiW (lpString1="InfoPathMUI.msi", lpString2="Program Files") returned -1 [0037.085] lstrcmpiW (lpString1="InfoPathMUI.msi", lpString2="Program Files (x86)") returned -1 [0037.085] wnsprintfW (in: pszDest=0x5306d0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.msi") returned 82 [0037.086] StrStrIW (lpFirst="InfoPathMUI.msi", lpSrch=".for") returned 0x0 [0037.086] lstrcmpW (lpString1="InfoPathMUI.msi", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0037.086] lstrcmpW (lpString1="InfoPathMUI.msi", lpString2="taridd") returned -1 [0037.086] StrCmpNW (lpStr1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.msi", lpStr2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\3pRMMVYZl7L6YCH05Qf1aBB2Nvhrv3", nChar=122) returned -1 [0037.086] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-0044-0409-1000-0000000ff1ce}-c\\infopathmui.msi"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x208 [0037.086] GetTickCount () returned 0x1143c75 [0037.086] GetTickCount () returned 0x1143c75 [0037.086] GetTickCount () returned 0x1143c75 [0037.086] GetTickCount () returned 0x1143c75 [0037.086] CryptEncrypt (in: hKey=0x4ff5a8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d8ef80*, pdwDataLen=0x2d8f030*=0x2c, dwBufLen=0x80 | out: pbData=0x2d8ef80*, pdwDataLen=0x2d8f030*=0x80) returned 1 [0037.086] GetProcessHeap () returned 0x4e0000 [0037.086] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x2800) returned 0x5044d8 [0037.086] ReadFile (in: hFile=0x208, lpBuffer=0x5044d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x5044d8*, lpNumberOfBytesRead=0x2d8f034*=0x2800, lpOverlapped=0x0) returned 1 [0037.088] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0037.088] WriteFile (in: hFile=0x208, lpBuffer=0x5044d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x5044d8*, lpNumberOfBytesWritten=0x2d8f034*=0x2800, lpOverlapped=0x0) returned 1 [0037.089] GetProcessHeap () returned 0x4e0000 [0037.089] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x5044d8 | out: hHeap=0x4e0000) returned 1 [0037.089] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0037.089] WriteFile (in: hFile=0x208, lpBuffer=0x4ffe10*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x4ffe10*, lpNumberOfBytesWritten=0x2d8f034*=0x300, lpOverlapped=0x0) returned 1 [0037.103] WriteFile (in: hFile=0x208, lpBuffer=0x2d8ef80*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x2d8ef80*, lpNumberOfBytesWritten=0x2d8f034*=0x80, lpOverlapped=0x0) returned 1 [0037.103] WriteFile (in: hFile=0x208, lpBuffer=0x186230*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x186230*, lpNumberOfBytesWritten=0x2d8f034*=0x4, lpOverlapped=0x0) returned 1 [0037.103] CloseHandle (hObject=0x208) returned 1 [0037.103] GetProcessHeap () returned 0x4e0000 [0037.103] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x400) returned 0x5350b8 [0037.103] wnsprintfW (in: pszDest=0x5350b8, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.msi_forv_{KNUJ5K}.for") returned 100 [0037.103] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-0044-0409-1000-0000000ff1ce}-c\\infopathmui.msi"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.msi_forv_{KNUJ5K}.for" (normalized: "c:\\msocache\\all users\\{90140000-0044-0409-1000-0000000ff1ce}-c\\infopathmui.msi_forv_{knuj5k}.for")) returned 1 [0037.103] GetProcessHeap () returned 0x4e0000 [0037.103] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x5350b8 | out: hHeap=0x4e0000) returned 1 [0037.103] FindNextFileW (in: hFindFile=0x535b20, lpFindFileData=0x2d8f070 | out: lpFindFileData=0x2d8f070*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xbec1a700, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0xbec1a700, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xf6e345a0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x4cf, dwReserved0=0x0, dwReserved1=0x0, cFileName="InfoPathMUI.xml", cAlternateFileName="INFOPA~1.XML")) returned 1 [0037.103] lstrcmpiW (lpString1="InfoPathMUI.xml", lpString2="Windows") returned -1 [0037.104] lstrcmpiW (lpString1="InfoPathMUI.xml", lpString2="$Recycle.bin") returned 1 [0037.104] lstrcmpiW (lpString1="InfoPathMUI.xml", lpString2="System Volume Information") returned -1 [0037.104] lstrcmpiW (lpString1="InfoPathMUI.xml", lpString2="Program Files") returned -1 [0037.104] lstrcmpiW (lpString1="InfoPathMUI.xml", lpString2="Program Files (x86)") returned -1 [0037.104] wnsprintfW (in: pszDest=0x5306d0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml") returned 82 [0037.104] StrStrIW (lpFirst="InfoPathMUI.xml", lpSrch=".for") returned 0x0 [0037.104] lstrcmpW (lpString1="InfoPathMUI.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0037.104] lstrcmpW (lpString1="InfoPathMUI.xml", lpString2="taridd") returned -1 [0037.104] StrCmpNW (lpStr1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml", lpStr2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\3pRMMVYZl7L6YCH05Qf1aBB2Nvhrv3", nChar=122) returned -1 [0037.104] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0044-0409-1000-0000000ff1ce}-c\\infopathmui.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x208 [0037.104] GetTickCount () returned 0x1143c84 [0037.104] GetTickCount () returned 0x1143c84 [0037.104] GetTickCount () returned 0x1143c84 [0037.104] GetTickCount () returned 0x1143c84 [0037.104] CryptEncrypt (in: hKey=0x4ff5a8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d8ef80*, pdwDataLen=0x2d8f030*=0x2c, dwBufLen=0x80 | out: pbData=0x2d8ef80*, pdwDataLen=0x2d8f030*=0x80) returned 1 [0037.104] GetProcessHeap () returned 0x4e0000 [0037.104] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x2800) returned 0x5044d8 [0037.104] ReadFile (in: hFile=0x208, lpBuffer=0x5044d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x5044d8*, lpNumberOfBytesRead=0x2d8f034*=0x4cf, lpOverlapped=0x0) returned 1 [0037.106] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0xfffffb31, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0037.106] WriteFile (in: hFile=0x208, lpBuffer=0x5044d8*, nNumberOfBytesToWrite=0x4cf, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x5044d8*, lpNumberOfBytesWritten=0x2d8f034*=0x4cf, lpOverlapped=0x0) returned 1 [0037.106] GetProcessHeap () returned 0x4e0000 [0037.106] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x5044d8 | out: hHeap=0x4e0000) returned 1 [0037.106] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0037.106] WriteFile (in: hFile=0x208, lpBuffer=0x4ffe10*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x4ffe10*, lpNumberOfBytesWritten=0x2d8f034*=0x300, lpOverlapped=0x0) returned 1 [0037.106] WriteFile (in: hFile=0x208, lpBuffer=0x2d8ef80*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x2d8ef80*, lpNumberOfBytesWritten=0x2d8f034*=0x80, lpOverlapped=0x0) returned 1 [0037.107] WriteFile (in: hFile=0x208, lpBuffer=0x186230*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x186230*, lpNumberOfBytesWritten=0x2d8f034*=0x4, lpOverlapped=0x0) returned 1 [0037.107] CloseHandle (hObject=0x208) returned 1 [0037.107] GetProcessHeap () returned 0x4e0000 [0037.107] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x400) returned 0x5350b8 [0037.107] wnsprintfW (in: pszDest=0x5350b8, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml_forv_{KNUJ5K}.for") returned 100 [0037.107] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0044-0409-1000-0000000ff1ce}-c\\infopathmui.xml"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml_forv_{KNUJ5K}.for" (normalized: "c:\\msocache\\all users\\{90140000-0044-0409-1000-0000000ff1ce}-c\\infopathmui.xml_forv_{knuj5k}.for")) returned 1 [0037.107] GetProcessHeap () returned 0x4e0000 [0037.108] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x5350b8 | out: hHeap=0x4e0000) returned 1 [0037.108] FindNextFileW (in: hFindFile=0x535b20, lpFindFileData=0x2d8f070 | out: lpFindFileData=0x2d8f070*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xbec1a700, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0xbec1a700, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xfa13c510, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x73c, dwReserved0=0x0, dwReserved1=0x0, cFileName="Setup.xml", cAlternateFileName="")) returned 1 [0037.108] lstrcmpiW (lpString1="Setup.xml", lpString2="Windows") returned -1 [0037.108] lstrcmpiW (lpString1="Setup.xml", lpString2="$Recycle.bin") returned 1 [0037.108] lstrcmpiW (lpString1="Setup.xml", lpString2="System Volume Information") returned -1 [0037.108] lstrcmpiW (lpString1="Setup.xml", lpString2="Program Files") returned 1 [0037.108] lstrcmpiW (lpString1="Setup.xml", lpString2="Program Files (x86)") returned 1 [0037.108] wnsprintfW (in: pszDest=0x5306d0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 76 [0037.108] StrStrIW (lpFirst="Setup.xml", lpSrch=".for") returned 0x0 [0037.108] lstrcmpW (lpString1="Setup.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0037.108] lstrcmpW (lpString1="Setup.xml", lpString2="taridd") returned -1 [0037.108] StrCmpNW (lpStr1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml", lpStr2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\3pRMMVYZl7L6YCH05Qf1aBB2Nvhrv3", nChar=122) returned -1 [0037.108] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0044-0409-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x208 [0037.108] GetTickCount () returned 0x1143c84 [0037.108] GetTickCount () returned 0x1143c84 [0037.108] GetTickCount () returned 0x1143c84 [0037.108] GetTickCount () returned 0x1143c84 [0037.108] CryptEncrypt (in: hKey=0x4ff5a8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d8ef80*, pdwDataLen=0x2d8f030*=0x2c, dwBufLen=0x80 | out: pbData=0x2d8ef80*, pdwDataLen=0x2d8f030*=0x80) returned 1 [0037.108] GetProcessHeap () returned 0x4e0000 [0037.108] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x2800) returned 0x5044d8 [0037.108] ReadFile (in: hFile=0x208, lpBuffer=0x5044d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x5044d8*, lpNumberOfBytesRead=0x2d8f034*=0x73c, lpOverlapped=0x0) returned 1 [0037.110] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0xfffff8c4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0037.110] WriteFile (in: hFile=0x208, lpBuffer=0x5044d8*, nNumberOfBytesToWrite=0x73c, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x5044d8*, lpNumberOfBytesWritten=0x2d8f034*=0x73c, lpOverlapped=0x0) returned 1 [0037.110] GetProcessHeap () returned 0x4e0000 [0037.110] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x5044d8 | out: hHeap=0x4e0000) returned 1 [0037.110] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0037.110] WriteFile (in: hFile=0x208, lpBuffer=0x4ffe10*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x4ffe10*, lpNumberOfBytesWritten=0x2d8f034*=0x300, lpOverlapped=0x0) returned 1 [0037.110] WriteFile (in: hFile=0x208, lpBuffer=0x2d8ef80*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x2d8ef80*, lpNumberOfBytesWritten=0x2d8f034*=0x80, lpOverlapped=0x0) returned 1 [0037.110] WriteFile (in: hFile=0x208, lpBuffer=0x186230*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x186230*, lpNumberOfBytesWritten=0x2d8f034*=0x4, lpOverlapped=0x0) returned 1 [0037.110] CloseHandle (hObject=0x208) returned 1 [0037.110] GetProcessHeap () returned 0x4e0000 [0037.110] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x400) returned 0x5350b8 [0037.110] wnsprintfW (in: pszDest=0x5350b8, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml_forv_{KNUJ5K}.for") returned 94 [0037.110] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0044-0409-1000-0000000ff1ce}-c\\setup.xml"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml_forv_{KNUJ5K}.for" (normalized: "c:\\msocache\\all users\\{90140000-0044-0409-1000-0000000ff1ce}-c\\setup.xml_forv_{knuj5k}.for")) returned 1 [0037.111] GetProcessHeap () returned 0x4e0000 [0037.111] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x5350b8 | out: hHeap=0x4e0000) returned 1 [0037.111] FindNextFileW (in: hFindFile=0x535b20, lpFindFileData=0x2d8f070 | out: lpFindFileData=0x2d8f070*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xbec1a700, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0xbec1a700, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xfa13c510, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x73c, dwReserved0=0x0, dwReserved1=0x0, cFileName="Setup.xml", cAlternateFileName="")) returned 0 [0037.111] FindClose (in: hFindFile=0x535b20 | out: hFindFile=0x535b20) returned 1 [0037.111] wnsprintfW (in: pszDest=0x5306d0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 98 [0037.111] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\msocache\\all users\\{90140000-0044-0409-1000-0000000ff1ce}-c\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x150 [0037.111] WriteFile (in: hFile=0x150, lpBuffer=0x186440*, nNumberOfBytesToWrite=0x2b0, lpNumberOfBytesWritten=0x2d8f03c, lpOverlapped=0x0 | out: lpBuffer=0x186440*, lpNumberOfBytesWritten=0x2d8f03c*=0x2b0, lpOverlapped=0x0) returned 1 [0037.112] CloseHandle (hObject=0x150) returned 1 [0037.112] GetProcessHeap () returned 0x4e0000 [0037.112] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x5306d0 | out: hHeap=0x4e0000) returned 1 [0037.112] FindNextFileW (in: hFindFile=0x535ae0, lpFindFileData=0x2d8f2f8 | out: lpFindFileData=0x2d8f2f8*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0x435769e0, ftCreationTime.dwHighDateTime=0x1d305eb, ftLastAccessTime.dwLowDateTime=0x43bdc500, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x43bdc500, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="{90140000-0054-0409-1000-0000000FF1CE}-C", cAlternateFileName="{9EA85~1")) returned 1 [0037.112] lstrcmpiW (lpString1="{90140000-0054-0409-1000-0000000FF1CE}-C", lpString2="Windows") returned -1 [0037.113] lstrcmpiW (lpString1="{90140000-0054-0409-1000-0000000FF1CE}-C", lpString2="$Recycle.bin") returned 1 [0037.113] lstrcmpiW (lpString1="{90140000-0054-0409-1000-0000000FF1CE}-C", lpString2="System Volume Information") returned -1 [0037.113] lstrcmpiW (lpString1="{90140000-0054-0409-1000-0000000FF1CE}-C", lpString2="Program Files") returned -1 [0037.113] lstrcmpiW (lpString1="{90140000-0054-0409-1000-0000000FF1CE}-C", lpString2="Program Files (x86)") returned -1 [0037.113] wnsprintfW (in: pszDest=0x542af8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C") returned 66 [0037.113] lstrcmpW (lpString1="{90140000-0054-0409-1000-0000000FF1CE}-C", lpString2=".") returned 1 [0037.113] lstrcmpW (lpString1="{90140000-0054-0409-1000-0000000FF1CE}-C", lpString2="..") returned 1 [0037.113] lstrcmpW (lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0037.113] GetProcessHeap () returned 0x4e0000 [0037.113] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x400) returned 0x5306d0 [0037.113] wnsprintfW (in: pszDest=0x5306d0, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\*") returned 68 [0037.113] FindFirstFileW (in: lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\*", lpFindFileData=0x2d8f070 | out: lpFindFileData=0x2d8f070*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0x435769e0, ftCreationTime.dwHighDateTime=0x1d305eb, ftLastAccessTime.dwLowDateTime=0x43bdc500, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x43bdc500, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x535b20 [0037.113] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0037.113] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0037.113] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0037.113] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0037.113] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0037.113] wnsprintfW (in: pszDest=0x5306d0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\.") returned 68 [0037.113] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0037.113] StrStrIW (lpFirst=".", lpSrch=".for") returned 0x0 [0037.113] lstrcmpW (lpString1=".", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned -1 [0037.113] lstrcmpW (lpString1=".", lpString2="taridd") returned -1 [0037.113] StrCmpNW (lpStr1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\.", lpStr2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\3pRMMVYZl7L6YCH05Qf1aBB2Nvhrv3", nChar=122) returned -1 [0037.113] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\." (normalized: "c:\\msocache\\all users\\{90140000-0054-0409-1000-0000000ff1ce}-c\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0037.113] FindNextFileW (in: hFindFile=0x535b20, lpFindFileData=0x2d8f070 | out: lpFindFileData=0x2d8f070*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0x435769e0, ftCreationTime.dwHighDateTime=0x1d305eb, ftLastAccessTime.dwLowDateTime=0x43bdc500, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x43bdc500, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0037.113] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0037.113] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0037.114] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0037.114] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0037.114] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0037.114] wnsprintfW (in: pszDest=0x5306d0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\..") returned 69 [0037.114] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0037.114] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0037.114] StrStrIW (lpFirst="..", lpSrch=".for") returned 0x0 [0037.114] lstrcmpW (lpString1="..", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned -1 [0037.114] lstrcmpW (lpString1="..", lpString2="taridd") returned -1 [0037.114] StrCmpNW (lpStr1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\..", lpStr2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\3pRMMVYZl7L6YCH05Qf1aBB2Nvhrv3", nChar=122) returned -1 [0037.114] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\.." (normalized: "c:\\msocache\\all users"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0037.114] FindNextFileW (in: hFindFile=0x535b20, lpFindFileData=0x2d8f070 | out: lpFindFileData=0x2d8f070*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x5f356eb0, ftCreationTime.dwHighDateTime=0x1cbe576, ftLastAccessTime.dwLowDateTime=0x5f356eb0, ftLastAccessTime.dwHighDateTime=0x1cbe576, ftLastWriteTime.dwLowDateTime=0x43bdc500, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x1861, dwReserved0=0x0, dwReserved1=0x0, cFileName="Setup.xml", cAlternateFileName="")) returned 1 [0037.114] lstrcmpiW (lpString1="Setup.xml", lpString2="Windows") returned -1 [0037.114] lstrcmpiW (lpString1="Setup.xml", lpString2="$Recycle.bin") returned 1 [0037.114] lstrcmpiW (lpString1="Setup.xml", lpString2="System Volume Information") returned -1 [0037.114] lstrcmpiW (lpString1="Setup.xml", lpString2="Program Files") returned 1 [0037.114] lstrcmpiW (lpString1="Setup.xml", lpString2="Program Files (x86)") returned 1 [0037.114] wnsprintfW (in: pszDest=0x5306d0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 76 [0037.114] StrStrIW (lpFirst="Setup.xml", lpSrch=".for") returned 0x0 [0037.114] lstrcmpW (lpString1="Setup.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0037.114] lstrcmpW (lpString1="Setup.xml", lpString2="taridd") returned -1 [0037.114] StrCmpNW (lpStr1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml", lpStr2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\3pRMMVYZl7L6YCH05Qf1aBB2Nvhrv3", nChar=122) returned -1 [0037.114] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0054-0409-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x208 [0037.115] GetTickCount () returned 0x1143c94 [0037.115] GetTickCount () returned 0x1143c94 [0037.115] GetTickCount () returned 0x1143c94 [0037.115] GetTickCount () returned 0x1143c94 [0037.115] CryptEncrypt (in: hKey=0x4ff5a8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d8ef80*, pdwDataLen=0x2d8f030*=0x2c, dwBufLen=0x80 | out: pbData=0x2d8ef80*, pdwDataLen=0x2d8f030*=0x80) returned 1 [0037.115] GetProcessHeap () returned 0x4e0000 [0037.115] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x2800) returned 0x5044d8 [0037.115] ReadFile (in: hFile=0x208, lpBuffer=0x5044d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x5044d8*, lpNumberOfBytesRead=0x2d8f034*=0x1861, lpOverlapped=0x0) returned 1 [0037.117] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0xffffe79f, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0037.117] WriteFile (in: hFile=0x208, lpBuffer=0x5044d8*, nNumberOfBytesToWrite=0x1861, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x5044d8*, lpNumberOfBytesWritten=0x2d8f034*=0x1861, lpOverlapped=0x0) returned 1 [0037.117] GetProcessHeap () returned 0x4e0000 [0037.117] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x5044d8 | out: hHeap=0x4e0000) returned 1 [0037.117] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0037.117] WriteFile (in: hFile=0x208, lpBuffer=0x4ffe10*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x4ffe10*, lpNumberOfBytesWritten=0x2d8f034*=0x300, lpOverlapped=0x0) returned 1 [0037.117] WriteFile (in: hFile=0x208, lpBuffer=0x2d8ef80*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x2d8ef80*, lpNumberOfBytesWritten=0x2d8f034*=0x80, lpOverlapped=0x0) returned 1 [0037.117] WriteFile (in: hFile=0x208, lpBuffer=0x186230*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x186230*, lpNumberOfBytesWritten=0x2d8f034*=0x4, lpOverlapped=0x0) returned 1 [0037.117] CloseHandle (hObject=0x208) returned 1 [0037.117] GetProcessHeap () returned 0x4e0000 [0037.117] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x400) returned 0x5350b8 [0037.118] wnsprintfW (in: pszDest=0x5350b8, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml_forv_{KNUJ5K}.for") returned 94 [0037.118] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0054-0409-1000-0000000ff1ce}-c\\setup.xml"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml_forv_{KNUJ5K}.for" (normalized: "c:\\msocache\\all users\\{90140000-0054-0409-1000-0000000ff1ce}-c\\setup.xml_forv_{knuj5k}.for")) returned 1 [0037.119] GetProcessHeap () returned 0x4e0000 [0037.119] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x5350b8 | out: hHeap=0x4e0000) returned 1 [0037.119] FindNextFileW (in: hFindFile=0x535b20, lpFindFileData=0x2d8f070 | out: lpFindFileData=0x2d8f070*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x7fb9f9e0, ftCreationTime.dwHighDateTime=0x1cbe575, ftLastAccessTime.dwLowDateTime=0x7fb9f9e0, ftLastAccessTime.dwHighDateTime=0x1cbe575, ftLastWriteTime.dwLowDateTime=0x437179c0, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x30780dd, dwReserved0=0x0, dwReserved1=0x0, cFileName="VisioLR.cab", cAlternateFileName="")) returned 1 [0037.119] lstrcmpiW (lpString1="VisioLR.cab", lpString2="Windows") returned -1 [0037.120] lstrcmpiW (lpString1="VisioLR.cab", lpString2="$Recycle.bin") returned 1 [0037.120] lstrcmpiW (lpString1="VisioLR.cab", lpString2="System Volume Information") returned 1 [0037.120] lstrcmpiW (lpString1="VisioLR.cab", lpString2="Program Files") returned 1 [0037.120] lstrcmpiW (lpString1="VisioLR.cab", lpString2="Program Files (x86)") returned 1 [0037.120] wnsprintfW (in: pszDest=0x5306d0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab") returned 78 [0037.120] StrStrIW (lpFirst="VisioLR.cab", lpSrch=".for") returned 0x0 [0037.120] lstrcmpW (lpString1="VisioLR.cab", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0037.120] lstrcmpW (lpString1="VisioLR.cab", lpString2="taridd") returned 1 [0037.120] StrCmpNW (lpStr1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab", lpStr2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\3pRMMVYZl7L6YCH05Qf1aBB2Nvhrv3", nChar=122) returned -1 [0037.120] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-0054-0409-1000-0000000ff1ce}-c\\visiolr.cab"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x208 [0037.120] GetTickCount () returned 0x1143c94 [0037.120] GetTickCount () returned 0x1143c94 [0037.120] GetTickCount () returned 0x1143c94 [0037.120] GetTickCount () returned 0x1143c94 [0037.120] CryptEncrypt (in: hKey=0x4ff5a8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d8ef80*, pdwDataLen=0x2d8f030*=0x2c, dwBufLen=0x80 | out: pbData=0x2d8ef80*, pdwDataLen=0x2d8f030*=0x80) returned 1 [0037.120] GetProcessHeap () returned 0x4e0000 [0037.120] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x2800) returned 0x5044d8 [0037.120] ReadFile (in: hFile=0x208, lpBuffer=0x5044d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x5044d8*, lpNumberOfBytesRead=0x2d8f034*=0x2800, lpOverlapped=0x0) returned 1 [0037.122] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0037.125] WriteFile (in: hFile=0x208, lpBuffer=0x5044d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x5044d8*, lpNumberOfBytesWritten=0x2d8f034*=0x2800, lpOverlapped=0x0) returned 1 [0037.126] GetProcessHeap () returned 0x4e0000 [0037.126] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x5044d8 | out: hHeap=0x4e0000) returned 1 [0037.126] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0037.126] WriteFile (in: hFile=0x208, lpBuffer=0x4ffe10*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x4ffe10*, lpNumberOfBytesWritten=0x2d8f034*=0x300, lpOverlapped=0x0) returned 1 [0037.127] WriteFile (in: hFile=0x208, lpBuffer=0x2d8ef80*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x2d8ef80*, lpNumberOfBytesWritten=0x2d8f034*=0x80, lpOverlapped=0x0) returned 1 [0037.127] WriteFile (in: hFile=0x208, lpBuffer=0x186230*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x186230*, lpNumberOfBytesWritten=0x2d8f034*=0x4, lpOverlapped=0x0) returned 1 [0037.127] CloseHandle (hObject=0x208) returned 1 [0037.127] GetProcessHeap () returned 0x4e0000 [0037.127] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x400) returned 0x5350b8 [0037.127] wnsprintfW (in: pszDest=0x5350b8, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab_forv_{KNUJ5K}.for") returned 96 [0037.127] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-0054-0409-1000-0000000ff1ce}-c\\visiolr.cab"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab_forv_{KNUJ5K}.for" (normalized: "c:\\msocache\\all users\\{90140000-0054-0409-1000-0000000ff1ce}-c\\visiolr.cab_forv_{knuj5k}.for")) returned 1 [0037.128] GetProcessHeap () returned 0x4e0000 [0037.128] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x5350b8 | out: hHeap=0x4e0000) returned 1 [0037.128] FindNextFileW (in: hFindFile=0x535b20, lpFindFileData=0x2d8f070 | out: lpFindFileData=0x2d8f070*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x272b1e70, ftCreationTime.dwHighDateTime=0x1cbe576, ftLastAccessTime.dwLowDateTime=0x272b1e70, ftLastAccessTime.dwHighDateTime=0x1cbe576, ftLastWriteTime.dwLowDateTime=0x435c1d00, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x2ab000, dwReserved0=0x0, dwReserved1=0x0, cFileName="VisioMUI.msi", cAlternateFileName="")) returned 1 [0037.128] lstrcmpiW (lpString1="VisioMUI.msi", lpString2="Windows") returned -1 [0037.128] lstrcmpiW (lpString1="VisioMUI.msi", lpString2="$Recycle.bin") returned 1 [0037.128] lstrcmpiW (lpString1="VisioMUI.msi", lpString2="System Volume Information") returned 1 [0037.128] lstrcmpiW (lpString1="VisioMUI.msi", lpString2="Program Files") returned 1 [0037.128] lstrcmpiW (lpString1="VisioMUI.msi", lpString2="Program Files (x86)") returned 1 [0037.128] wnsprintfW (in: pszDest=0x5306d0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.msi") returned 79 [0037.128] StrStrIW (lpFirst="VisioMUI.msi", lpSrch=".for") returned 0x0 [0037.128] lstrcmpW (lpString1="VisioMUI.msi", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0037.128] lstrcmpW (lpString1="VisioMUI.msi", lpString2="taridd") returned 1 [0037.128] StrCmpNW (lpStr1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.msi", lpStr2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\3pRMMVYZl7L6YCH05Qf1aBB2Nvhrv3", nChar=122) returned -1 [0037.128] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-0054-0409-1000-0000000ff1ce}-c\\visiomui.msi"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x208 [0037.129] GetTickCount () returned 0x1143ca3 [0037.129] GetTickCount () returned 0x1143ca3 [0037.129] GetTickCount () returned 0x1143ca3 [0037.129] GetTickCount () returned 0x1143ca3 [0037.129] CryptEncrypt (in: hKey=0x4ff5a8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d8ef80*, pdwDataLen=0x2d8f030*=0x2c, dwBufLen=0x80 | out: pbData=0x2d8ef80*, pdwDataLen=0x2d8f030*=0x80) returned 1 [0037.129] GetProcessHeap () returned 0x4e0000 [0037.129] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x2800) returned 0x5044d8 [0037.129] ReadFile (in: hFile=0x208, lpBuffer=0x5044d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x5044d8*, lpNumberOfBytesRead=0x2d8f034*=0x2800, lpOverlapped=0x0) returned 1 [0037.130] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0037.131] WriteFile (in: hFile=0x208, lpBuffer=0x5044d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x5044d8*, lpNumberOfBytesWritten=0x2d8f034*=0x2800, lpOverlapped=0x0) returned 1 [0037.131] GetProcessHeap () returned 0x4e0000 [0037.131] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x5044d8 | out: hHeap=0x4e0000) returned 1 [0037.131] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0037.131] WriteFile (in: hFile=0x208, lpBuffer=0x4ffe10*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x4ffe10*, lpNumberOfBytesWritten=0x2d8f034*=0x300, lpOverlapped=0x0) returned 1 [0037.132] WriteFile (in: hFile=0x208, lpBuffer=0x2d8ef80*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x2d8ef80*, lpNumberOfBytesWritten=0x2d8f034*=0x80, lpOverlapped=0x0) returned 1 [0037.132] WriteFile (in: hFile=0x208, lpBuffer=0x186230*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x186230*, lpNumberOfBytesWritten=0x2d8f034*=0x4, lpOverlapped=0x0) returned 1 [0037.132] CloseHandle (hObject=0x208) returned 1 [0037.132] GetProcessHeap () returned 0x4e0000 [0037.132] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x400) returned 0x5350b8 [0037.132] wnsprintfW (in: pszDest=0x5350b8, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.msi_forv_{KNUJ5K}.for") returned 97 [0037.132] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-0054-0409-1000-0000000ff1ce}-c\\visiomui.msi"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.msi_forv_{KNUJ5K}.for" (normalized: "c:\\msocache\\all users\\{90140000-0054-0409-1000-0000000ff1ce}-c\\visiomui.msi_forv_{knuj5k}.for")) returned 1 [0037.133] GetProcessHeap () returned 0x4e0000 [0037.133] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x5350b8 | out: hHeap=0x4e0000) returned 1 [0037.133] FindNextFileW (in: hFindFile=0x535b20, lpFindFileData=0x2d8f070 | out: lpFindFileData=0x2d8f070*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x5f0a8e20, ftCreationTime.dwHighDateTime=0x1cbe576, ftLastAccessTime.dwLowDateTime=0x5f0a8e20, ftLastAccessTime.dwHighDateTime=0x1cbe576, ftLastWriteTime.dwLowDateTime=0x4359ac00, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x251f, dwReserved0=0x0, dwReserved1=0x0, cFileName="VisioMUI.xml", cAlternateFileName="")) returned 1 [0037.133] lstrcmpiW (lpString1="VisioMUI.xml", lpString2="Windows") returned -1 [0037.133] lstrcmpiW (lpString1="VisioMUI.xml", lpString2="$Recycle.bin") returned 1 [0037.133] lstrcmpiW (lpString1="VisioMUI.xml", lpString2="System Volume Information") returned 1 [0037.133] lstrcmpiW (lpString1="VisioMUI.xml", lpString2="Program Files") returned 1 [0037.133] lstrcmpiW (lpString1="VisioMUI.xml", lpString2="Program Files (x86)") returned 1 [0037.133] wnsprintfW (in: pszDest=0x5306d0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml") returned 79 [0037.133] StrStrIW (lpFirst="VisioMUI.xml", lpSrch=".for") returned 0x0 [0037.133] lstrcmpW (lpString1="VisioMUI.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0037.133] lstrcmpW (lpString1="VisioMUI.xml", lpString2="taridd") returned 1 [0037.133] StrCmpNW (lpStr1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml", lpStr2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\3pRMMVYZl7L6YCH05Qf1aBB2Nvhrv3", nChar=122) returned -1 [0037.133] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0054-0409-1000-0000000ff1ce}-c\\visiomui.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x208 [0037.133] GetTickCount () returned 0x1143ca3 [0037.133] GetTickCount () returned 0x1143ca3 [0037.133] GetTickCount () returned 0x1143ca3 [0037.133] GetTickCount () returned 0x1143ca3 [0037.134] CryptEncrypt (in: hKey=0x4ff5a8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d8ef80*, pdwDataLen=0x2d8f030*=0x2c, dwBufLen=0x80 | out: pbData=0x2d8ef80*, pdwDataLen=0x2d8f030*=0x80) returned 1 [0037.134] GetProcessHeap () returned 0x4e0000 [0037.134] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x2800) returned 0x5044d8 [0037.134] ReadFile (in: hFile=0x208, lpBuffer=0x5044d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x5044d8*, lpNumberOfBytesRead=0x2d8f034*=0x251f, lpOverlapped=0x0) returned 1 [0037.135] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0xffffdae1, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0037.135] WriteFile (in: hFile=0x208, lpBuffer=0x5044d8*, nNumberOfBytesToWrite=0x251f, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x5044d8*, lpNumberOfBytesWritten=0x2d8f034*=0x251f, lpOverlapped=0x0) returned 1 [0037.135] GetProcessHeap () returned 0x4e0000 [0037.135] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x5044d8 | out: hHeap=0x4e0000) returned 1 [0037.135] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0037.135] WriteFile (in: hFile=0x208, lpBuffer=0x4ffe10*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x4ffe10*, lpNumberOfBytesWritten=0x2d8f034*=0x300, lpOverlapped=0x0) returned 1 [0037.135] WriteFile (in: hFile=0x208, lpBuffer=0x2d8ef80*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x2d8ef80*, lpNumberOfBytesWritten=0x2d8f034*=0x80, lpOverlapped=0x0) returned 1 [0037.136] WriteFile (in: hFile=0x208, lpBuffer=0x186230*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x186230*, lpNumberOfBytesWritten=0x2d8f034*=0x4, lpOverlapped=0x0) returned 1 [0037.136] CloseHandle (hObject=0x208) returned 1 [0037.136] GetProcessHeap () returned 0x4e0000 [0037.136] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x400) returned 0x5350b8 [0037.136] wnsprintfW (in: pszDest=0x5350b8, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml_forv_{KNUJ5K}.for") returned 97 [0037.136] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0054-0409-1000-0000000ff1ce}-c\\visiomui.xml"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml_forv_{KNUJ5K}.for" (normalized: "c:\\msocache\\all users\\{90140000-0054-0409-1000-0000000ff1ce}-c\\visiomui.xml_forv_{knuj5k}.for")) returned 1 [0037.377] GetProcessHeap () returned 0x4e0000 [0037.377] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x5350b8 | out: hHeap=0x4e0000) returned 1 [0037.377] FindNextFileW (in: hFindFile=0x535b20, lpFindFileData=0x2d8f070 | out: lpFindFileData=0x2d8f070*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x5f0a8e20, ftCreationTime.dwHighDateTime=0x1cbe576, ftLastAccessTime.dwLowDateTime=0x5f0a8e20, ftLastAccessTime.dwHighDateTime=0x1cbe576, ftLastWriteTime.dwLowDateTime=0x4359ac00, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x251f, dwReserved0=0x0, dwReserved1=0x0, cFileName="VisioMUI.xml", cAlternateFileName="")) returned 0 [0037.378] FindClose (in: hFindFile=0x535b20 | out: hFindFile=0x535b20) returned 1 [0037.378] wnsprintfW (in: pszDest=0x5306d0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 98 [0037.378] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\msocache\\all users\\{90140000-0054-0409-1000-0000000ff1ce}-c\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x150 [0037.426] WriteFile (in: hFile=0x150, lpBuffer=0x186440*, nNumberOfBytesToWrite=0x2b0, lpNumberOfBytesWritten=0x2d8f03c, lpOverlapped=0x0 | out: lpBuffer=0x186440*, lpNumberOfBytesWritten=0x2d8f03c*=0x2b0, lpOverlapped=0x0) returned 1 [0037.427] CloseHandle (hObject=0x150) returned 1 [0037.427] GetProcessHeap () returned 0x4e0000 [0037.427] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x5306d0 | out: hHeap=0x4e0000) returned 1 [0037.427] FindNextFileW (in: hFindFile=0x535ae0, lpFindFileData=0x2d8f2f8 | out: lpFindFileData=0x2d8f2f8*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xf58ee8d0, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xf6e0ec10, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xf6e0ec10, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="{90140000-00A1-0409-1000-0000000FF1CE}-C", cAlternateFileName="{92572~1")) returned 1 [0037.427] lstrcmpiW (lpString1="{90140000-00A1-0409-1000-0000000FF1CE}-C", lpString2="Windows") returned -1 [0037.427] lstrcmpiW (lpString1="{90140000-00A1-0409-1000-0000000FF1CE}-C", lpString2="$Recycle.bin") returned 1 [0037.427] lstrcmpiW (lpString1="{90140000-00A1-0409-1000-0000000FF1CE}-C", lpString2="System Volume Information") returned -1 [0037.427] lstrcmpiW (lpString1="{90140000-00A1-0409-1000-0000000FF1CE}-C", lpString2="Program Files") returned -1 [0037.427] lstrcmpiW (lpString1="{90140000-00A1-0409-1000-0000000FF1CE}-C", lpString2="Program Files (x86)") returned -1 [0037.427] wnsprintfW (in: pszDest=0x542af8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C") returned 66 [0037.427] lstrcmpW (lpString1="{90140000-00A1-0409-1000-0000000FF1CE}-C", lpString2=".") returned 1 [0037.427] lstrcmpW (lpString1="{90140000-00A1-0409-1000-0000000FF1CE}-C", lpString2="..") returned 1 [0037.427] lstrcmpW (lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0037.427] GetProcessHeap () returned 0x4e0000 [0037.427] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x400) returned 0x5354c0 [0037.427] wnsprintfW (in: pszDest=0x5354c0, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\*") returned 68 [0037.427] FindFirstFileW (in: lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\*", lpFindFileData=0x2d8f070 | out: lpFindFileData=0x2d8f070*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xf58ee8d0, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xf6e0ec10, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xf6e0ec10, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x535b20 [0037.433] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0037.433] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0037.433] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0037.433] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0037.433] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0037.433] wnsprintfW (in: pszDest=0x5354c0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\.") returned 68 [0037.433] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0037.433] StrStrIW (lpFirst=".", lpSrch=".for") returned 0x0 [0037.433] lstrcmpW (lpString1=".", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned -1 [0037.433] lstrcmpW (lpString1=".", lpString2="taridd") returned -1 [0037.433] StrCmpNW (lpStr1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\.", lpStr2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\3pRMMVYZl7L6YCH05Qf1aBB2Nvhrv3", nChar=122) returned -1 [0037.433] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\." (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-1000-0000000ff1ce}-c\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0037.433] FindNextFileW (in: hFindFile=0x535b20, lpFindFileData=0x2d8f070 | out: lpFindFileData=0x2d8f070*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xf58ee8d0, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xf6e0ec10, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xf6e0ec10, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0037.433] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0037.433] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0037.433] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0037.433] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0037.433] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0037.433] wnsprintfW (in: pszDest=0x5354c0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\..") returned 69 [0037.433] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0037.434] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0037.434] StrStrIW (lpFirst="..", lpSrch=".for") returned 0x0 [0037.434] lstrcmpW (lpString1="..", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned -1 [0037.434] lstrcmpW (lpString1="..", lpString2="taridd") returned -1 [0037.434] StrCmpNW (lpStr1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\..", lpStr2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\3pRMMVYZl7L6YCH05Qf1aBB2Nvhrv3", nChar=122) returned -1 [0037.434] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\.." (normalized: "c:\\msocache\\all users"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0037.434] FindNextFileW (in: hFindFile=0x535b20, lpFindFileData=0x2d8f070 | out: lpFindFileData=0x2d8f070*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x3e02ab00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x3e02ab00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xf5914a30, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x263400, dwReserved0=0x0, dwReserved1=0x0, cFileName="OneNoteMUI.msi", cAlternateFileName="ONENOT~1.MSI")) returned 1 [0037.434] lstrcmpiW (lpString1="OneNoteMUI.msi", lpString2="Windows") returned -1 [0037.434] lstrcmpiW (lpString1="OneNoteMUI.msi", lpString2="$Recycle.bin") returned 1 [0037.434] lstrcmpiW (lpString1="OneNoteMUI.msi", lpString2="System Volume Information") returned -1 [0037.434] lstrcmpiW (lpString1="OneNoteMUI.msi", lpString2="Program Files") returned -1 [0037.434] lstrcmpiW (lpString1="OneNoteMUI.msi", lpString2="Program Files (x86)") returned -1 [0037.434] wnsprintfW (in: pszDest=0x5354c0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.msi") returned 81 [0037.434] StrStrIW (lpFirst="OneNoteMUI.msi", lpSrch=".for") returned 0x0 [0037.434] lstrcmpW (lpString1="OneNoteMUI.msi", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0037.434] lstrcmpW (lpString1="OneNoteMUI.msi", lpString2="taridd") returned -1 [0037.434] StrCmpNW (lpStr1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.msi", lpStr2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\3pRMMVYZl7L6YCH05Qf1aBB2Nvhrv3", nChar=122) returned -1 [0037.434] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-1000-0000000ff1ce}-c\\onenotemui.msi"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x208 [0037.434] GetTickCount () returned 0x1143dcc [0037.434] GetTickCount () returned 0x1143dcc [0037.434] GetTickCount () returned 0x1143dcc [0037.434] GetTickCount () returned 0x1143dcc [0037.434] CryptEncrypt (in: hKey=0x4ff5a8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d8ef80*, pdwDataLen=0x2d8f030*=0x2c, dwBufLen=0x80 | out: pbData=0x2d8ef80*, pdwDataLen=0x2d8f030*=0x80) returned 1 [0037.434] GetProcessHeap () returned 0x4e0000 [0037.434] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x2800) returned 0x5044d8 [0037.434] ReadFile (in: hFile=0x208, lpBuffer=0x5044d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x5044d8*, lpNumberOfBytesRead=0x2d8f034*=0x2800, lpOverlapped=0x0) returned 1 [0037.436] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0037.436] WriteFile (in: hFile=0x208, lpBuffer=0x5044d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x5044d8*, lpNumberOfBytesWritten=0x2d8f034*=0x2800, lpOverlapped=0x0) returned 1 [0037.437] GetProcessHeap () returned 0x4e0000 [0037.437] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x5044d8 | out: hHeap=0x4e0000) returned 1 [0037.437] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0037.437] WriteFile (in: hFile=0x208, lpBuffer=0x4ffe10*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x4ffe10*, lpNumberOfBytesWritten=0x2d8f034*=0x300, lpOverlapped=0x0) returned 1 [0037.438] WriteFile (in: hFile=0x208, lpBuffer=0x2d8ef80*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x2d8ef80*, lpNumberOfBytesWritten=0x2d8f034*=0x80, lpOverlapped=0x0) returned 1 [0037.438] WriteFile (in: hFile=0x208, lpBuffer=0x186230*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x186230*, lpNumberOfBytesWritten=0x2d8f034*=0x4, lpOverlapped=0x0) returned 1 [0037.438] CloseHandle (hObject=0x208) returned 1 [0037.438] GetProcessHeap () returned 0x4e0000 [0037.438] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x400) returned 0x5306d0 [0037.438] wnsprintfW (in: pszDest=0x5306d0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.msi_forv_{KNUJ5K}.for") returned 99 [0037.438] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-1000-0000000ff1ce}-c\\onenotemui.msi"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.msi_forv_{KNUJ5K}.for" (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-1000-0000000ff1ce}-c\\onenotemui.msi_forv_{knuj5k}.for")) returned 1 [0037.439] GetProcessHeap () returned 0x4e0000 [0037.439] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x5306d0 | out: hHeap=0x4e0000) returned 1 [0037.439] FindNextFileW (in: hFindFile=0x535b20, lpFindFileData=0x2d8f070 | out: lpFindFileData=0x2d8f070*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x43f88c00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x43f88c00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xf58ed930, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x646, dwReserved0=0x0, dwReserved1=0x0, cFileName="OneNoteMUI.xml", cAlternateFileName="ONENOT~1.XML")) returned 1 [0037.439] lstrcmpiW (lpString1="OneNoteMUI.xml", lpString2="Windows") returned -1 [0037.439] lstrcmpiW (lpString1="OneNoteMUI.xml", lpString2="$Recycle.bin") returned 1 [0037.439] lstrcmpiW (lpString1="OneNoteMUI.xml", lpString2="System Volume Information") returned -1 [0037.439] lstrcmpiW (lpString1="OneNoteMUI.xml", lpString2="Program Files") returned -1 [0037.439] lstrcmpiW (lpString1="OneNoteMUI.xml", lpString2="Program Files (x86)") returned -1 [0037.439] wnsprintfW (in: pszDest=0x5354c0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml") returned 81 [0037.439] StrStrIW (lpFirst="OneNoteMUI.xml", lpSrch=".for") returned 0x0 [0037.439] lstrcmpW (lpString1="OneNoteMUI.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0037.439] lstrcmpW (lpString1="OneNoteMUI.xml", lpString2="taridd") returned -1 [0037.439] StrCmpNW (lpStr1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml", lpStr2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\3pRMMVYZl7L6YCH05Qf1aBB2Nvhrv3", nChar=122) returned -1 [0037.439] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-1000-0000000ff1ce}-c\\onenotemui.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x208 [0037.439] GetTickCount () returned 0x1143dcc [0037.439] GetTickCount () returned 0x1143dcc [0037.439] GetTickCount () returned 0x1143dcc [0037.439] GetTickCount () returned 0x1143dcc [0037.439] CryptEncrypt (in: hKey=0x4ff5a8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d8ef80*, pdwDataLen=0x2d8f030*=0x2c, dwBufLen=0x80 | out: pbData=0x2d8ef80*, pdwDataLen=0x2d8f030*=0x80) returned 1 [0037.440] GetProcessHeap () returned 0x4e0000 [0037.440] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x2800) returned 0x5044d8 [0037.440] ReadFile (in: hFile=0x208, lpBuffer=0x5044d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x5044d8*, lpNumberOfBytesRead=0x2d8f034*=0x646, lpOverlapped=0x0) returned 1 [0037.441] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0xfffff9ba, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0037.441] WriteFile (in: hFile=0x208, lpBuffer=0x5044d8*, nNumberOfBytesToWrite=0x646, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x5044d8*, lpNumberOfBytesWritten=0x2d8f034*=0x646, lpOverlapped=0x0) returned 1 [0037.441] GetProcessHeap () returned 0x4e0000 [0037.441] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x5044d8 | out: hHeap=0x4e0000) returned 1 [0037.441] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0037.441] WriteFile (in: hFile=0x208, lpBuffer=0x4ffe10*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x4ffe10*, lpNumberOfBytesWritten=0x2d8f034*=0x300, lpOverlapped=0x0) returned 1 [0037.441] WriteFile (in: hFile=0x208, lpBuffer=0x2d8ef80*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x2d8ef80*, lpNumberOfBytesWritten=0x2d8f034*=0x80, lpOverlapped=0x0) returned 1 [0037.441] WriteFile (in: hFile=0x208, lpBuffer=0x186230*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x186230*, lpNumberOfBytesWritten=0x2d8f034*=0x4, lpOverlapped=0x0) returned 1 [0037.441] CloseHandle (hObject=0x208) returned 1 [0037.441] GetProcessHeap () returned 0x4e0000 [0037.441] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x400) returned 0x5306d0 [0037.441] wnsprintfW (in: pszDest=0x5306d0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml_forv_{KNUJ5K}.for") returned 99 [0037.442] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-1000-0000000ff1ce}-c\\onenotemui.xml"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml_forv_{KNUJ5K}.for" (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-1000-0000000ff1ce}-c\\onenotemui.xml_forv_{knuj5k}.for")) returned 1 [0037.442] GetProcessHeap () returned 0x4e0000 [0037.442] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x5306d0 | out: hHeap=0x4e0000) returned 1 [0037.442] FindNextFileW (in: hFindFile=0x535b20, lpFindFileData=0x2d8f070 | out: lpFindFileData=0x2d8f070*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x36db9d00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x36db9d00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xf5e95540, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x10a5df8, dwReserved0=0x0, dwReserved1=0x0, cFileName="OnoteLR.cab", cAlternateFileName="")) returned 1 [0037.442] lstrcmpiW (lpString1="OnoteLR.cab", lpString2="Windows") returned -1 [0037.442] lstrcmpiW (lpString1="OnoteLR.cab", lpString2="$Recycle.bin") returned 1 [0037.442] lstrcmpiW (lpString1="OnoteLR.cab", lpString2="System Volume Information") returned -1 [0037.442] lstrcmpiW (lpString1="OnoteLR.cab", lpString2="Program Files") returned -1 [0037.442] lstrcmpiW (lpString1="OnoteLR.cab", lpString2="Program Files (x86)") returned -1 [0037.442] wnsprintfW (in: pszDest=0x5354c0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab") returned 78 [0037.442] StrStrIW (lpFirst="OnoteLR.cab", lpSrch=".for") returned 0x0 [0037.442] lstrcmpW (lpString1="OnoteLR.cab", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0037.442] lstrcmpW (lpString1="OnoteLR.cab", lpString2="taridd") returned -1 [0037.442] StrCmpNW (lpStr1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab", lpStr2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\3pRMMVYZl7L6YCH05Qf1aBB2Nvhrv3", nChar=122) returned -1 [0037.442] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-1000-0000000ff1ce}-c\\onotelr.cab"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x208 [0037.443] GetTickCount () returned 0x1143ddb [0037.443] GetTickCount () returned 0x1143ddb [0037.443] GetTickCount () returned 0x1143ddb [0037.443] GetTickCount () returned 0x1143ddb [0037.443] CryptEncrypt (in: hKey=0x4ff5a8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d8ef80*, pdwDataLen=0x2d8f030*=0x2c, dwBufLen=0x80 | out: pbData=0x2d8ef80*, pdwDataLen=0x2d8f030*=0x80) returned 1 [0037.443] GetProcessHeap () returned 0x4e0000 [0037.443] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x2800) returned 0x5044d8 [0037.443] ReadFile (in: hFile=0x208, lpBuffer=0x5044d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x5044d8*, lpNumberOfBytesRead=0x2d8f034*=0x2800, lpOverlapped=0x0) returned 1 [0037.445] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0037.445] WriteFile (in: hFile=0x208, lpBuffer=0x5044d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x5044d8*, lpNumberOfBytesWritten=0x2d8f034*=0x2800, lpOverlapped=0x0) returned 1 [0037.446] GetProcessHeap () returned 0x4e0000 [0037.446] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x5044d8 | out: hHeap=0x4e0000) returned 1 [0037.446] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0037.446] WriteFile (in: hFile=0x208, lpBuffer=0x4ffe10*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x4ffe10*, lpNumberOfBytesWritten=0x2d8f034*=0x300, lpOverlapped=0x0) returned 1 [0037.447] WriteFile (in: hFile=0x208, lpBuffer=0x2d8ef80*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x2d8ef80*, lpNumberOfBytesWritten=0x2d8f034*=0x80, lpOverlapped=0x0) returned 1 [0037.447] WriteFile (in: hFile=0x208, lpBuffer=0x186230*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x186230*, lpNumberOfBytesWritten=0x2d8f034*=0x4, lpOverlapped=0x0) returned 1 [0037.447] CloseHandle (hObject=0x208) returned 1 [0037.448] GetProcessHeap () returned 0x4e0000 [0037.448] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x400) returned 0x5306d0 [0037.448] wnsprintfW (in: pszDest=0x5306d0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab_forv_{KNUJ5K}.for") returned 96 [0037.448] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-1000-0000000ff1ce}-c\\onotelr.cab"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab_forv_{KNUJ5K}.for" (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-1000-0000000ff1ce}-c\\onotelr.cab_forv_{knuj5k}.for")) returned 1 [0037.448] GetProcessHeap () returned 0x4e0000 [0037.448] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x5306d0 | out: hHeap=0x4e0000) returned 1 [0037.448] FindNextFileW (in: hFindFile=0x535b20, lpFindFileData=0x2d8f070 | out: lpFindFileData=0x2d8f070*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x43f88c00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x43f88c00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xf6e0d4a0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x7c4, dwReserved0=0x0, dwReserved1=0x0, cFileName="Setup.xml", cAlternateFileName="")) returned 1 [0037.448] lstrcmpiW (lpString1="Setup.xml", lpString2="Windows") returned -1 [0037.448] lstrcmpiW (lpString1="Setup.xml", lpString2="$Recycle.bin") returned 1 [0037.448] lstrcmpiW (lpString1="Setup.xml", lpString2="System Volume Information") returned -1 [0037.448] lstrcmpiW (lpString1="Setup.xml", lpString2="Program Files") returned 1 [0037.448] lstrcmpiW (lpString1="Setup.xml", lpString2="Program Files (x86)") returned 1 [0037.448] wnsprintfW (in: pszDest=0x5354c0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 76 [0037.448] StrStrIW (lpFirst="Setup.xml", lpSrch=".for") returned 0x0 [0037.448] lstrcmpW (lpString1="Setup.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0037.448] lstrcmpW (lpString1="Setup.xml", lpString2="taridd") returned -1 [0037.448] StrCmpNW (lpStr1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml", lpStr2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\3pRMMVYZl7L6YCH05Qf1aBB2Nvhrv3", nChar=122) returned -1 [0037.448] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x208 [0037.449] GetTickCount () returned 0x1143ddb [0037.449] GetTickCount () returned 0x1143ddb [0037.449] GetTickCount () returned 0x1143ddb [0037.449] GetTickCount () returned 0x1143ddb [0037.449] CryptEncrypt (in: hKey=0x4ff5a8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d8ef80*, pdwDataLen=0x2d8f030*=0x2c, dwBufLen=0x80 | out: pbData=0x2d8ef80*, pdwDataLen=0x2d8f030*=0x80) returned 1 [0037.449] GetProcessHeap () returned 0x4e0000 [0037.449] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x2800) returned 0x5044d8 [0037.449] ReadFile (in: hFile=0x208, lpBuffer=0x5044d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x5044d8*, lpNumberOfBytesRead=0x2d8f034*=0x7c4, lpOverlapped=0x0) returned 1 [0037.452] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0xfffff83c, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0037.452] WriteFile (in: hFile=0x208, lpBuffer=0x5044d8*, nNumberOfBytesToWrite=0x7c4, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x5044d8*, lpNumberOfBytesWritten=0x2d8f034*=0x7c4, lpOverlapped=0x0) returned 1 [0037.452] GetProcessHeap () returned 0x4e0000 [0037.453] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x5044d8 | out: hHeap=0x4e0000) returned 1 [0037.453] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0037.453] WriteFile (in: hFile=0x208, lpBuffer=0x4ffe10*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x4ffe10*, lpNumberOfBytesWritten=0x2d8f034*=0x300, lpOverlapped=0x0) returned 1 [0037.453] WriteFile (in: hFile=0x208, lpBuffer=0x2d8ef80*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x2d8ef80*, lpNumberOfBytesWritten=0x2d8f034*=0x80, lpOverlapped=0x0) returned 1 [0037.453] WriteFile (in: hFile=0x208, lpBuffer=0x186230*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x186230*, lpNumberOfBytesWritten=0x2d8f034*=0x4, lpOverlapped=0x0) returned 1 [0037.453] CloseHandle (hObject=0x208) returned 1 [0037.453] GetProcessHeap () returned 0x4e0000 [0037.453] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x400) returned 0x5306d0 [0037.453] wnsprintfW (in: pszDest=0x5306d0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml_forv_{KNUJ5K}.for") returned 94 [0037.453] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-1000-0000000ff1ce}-c\\setup.xml"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml_forv_{KNUJ5K}.for" (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-1000-0000000ff1ce}-c\\setup.xml_forv_{knuj5k}.for")) returned 1 [0037.453] GetProcessHeap () returned 0x4e0000 [0037.453] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x5306d0 | out: hHeap=0x4e0000) returned 1 [0037.453] FindNextFileW (in: hFindFile=0x535b20, lpFindFileData=0x2d8f070 | out: lpFindFileData=0x2d8f070*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x43f88c00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x43f88c00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xf6e0d4a0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x7c4, dwReserved0=0x0, dwReserved1=0x0, cFileName="Setup.xml", cAlternateFileName="")) returned 0 [0037.453] FindClose (in: hFindFile=0x535b20 | out: hFindFile=0x535b20) returned 1 [0037.454] wnsprintfW (in: pszDest=0x5354c0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 98 [0037.454] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-1000-0000000ff1ce}-c\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x150 [0037.454] WriteFile (in: hFile=0x150, lpBuffer=0x186440*, nNumberOfBytesToWrite=0x2b0, lpNumberOfBytesWritten=0x2d8f03c, lpOverlapped=0x0 | out: lpBuffer=0x186440*, lpNumberOfBytesWritten=0x2d8f03c*=0x2b0, lpOverlapped=0x0) returned 1 [0037.454] CloseHandle (hObject=0x150) returned 1 [0037.455] GetProcessHeap () returned 0x4e0000 [0037.455] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x5354c0 | out: hHeap=0x4e0000) returned 1 [0037.455] FindNextFileW (in: hFindFile=0x535ae0, lpFindFileData=0x2d8f2f8 | out: lpFindFileData=0x2d8f2f8*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xa5b30b20, ftCreationTime.dwHighDateTime=0x1d305f1, ftLastAccessTime.dwLowDateTime=0xa5bc90a0, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xa5bc90a0, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="{90140000-00B4-0409-1000-0000000FF1CE}-C", cAlternateFileName="{912E0~1")) returned 1 [0037.455] lstrcmpiW (lpString1="{90140000-00B4-0409-1000-0000000FF1CE}-C", lpString2="Windows") returned -1 [0037.455] lstrcmpiW (lpString1="{90140000-00B4-0409-1000-0000000FF1CE}-C", lpString2="$Recycle.bin") returned 1 [0037.455] lstrcmpiW (lpString1="{90140000-00B4-0409-1000-0000000FF1CE}-C", lpString2="System Volume Information") returned -1 [0037.455] lstrcmpiW (lpString1="{90140000-00B4-0409-1000-0000000FF1CE}-C", lpString2="Program Files") returned -1 [0037.455] lstrcmpiW (lpString1="{90140000-00B4-0409-1000-0000000FF1CE}-C", lpString2="Program Files (x86)") returned -1 [0037.455] wnsprintfW (in: pszDest=0x542af8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C") returned 66 [0037.455] lstrcmpW (lpString1="{90140000-00B4-0409-1000-0000000FF1CE}-C", lpString2=".") returned 1 [0037.455] lstrcmpW (lpString1="{90140000-00B4-0409-1000-0000000FF1CE}-C", lpString2="..") returned 1 [0037.455] lstrcmpW (lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0037.455] GetProcessHeap () returned 0x4e0000 [0037.455] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x400) returned 0x5354c0 [0037.455] wnsprintfW (in: pszDest=0x5354c0, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\*") returned 68 [0037.455] FindFirstFileW (in: lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\*", lpFindFileData=0x2d8f070 | out: lpFindFileData=0x2d8f070*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xa5b30b20, ftCreationTime.dwHighDateTime=0x1d305f1, ftLastAccessTime.dwLowDateTime=0xa5bc90a0, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xa5bc90a0, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x535b20 [0037.457] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0037.457] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0037.458] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0037.458] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0037.458] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0037.458] wnsprintfW (in: pszDest=0x5354c0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\.") returned 68 [0037.458] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0037.458] StrStrIW (lpFirst=".", lpSrch=".for") returned 0x0 [0037.458] lstrcmpW (lpString1=".", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned -1 [0037.458] lstrcmpW (lpString1=".", lpString2="taridd") returned -1 [0037.458] StrCmpNW (lpStr1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\.", lpStr2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\3pRMMVYZl7L6YCH05Qf1aBB2Nvhrv3", nChar=122) returned -1 [0037.458] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\." (normalized: "c:\\msocache\\all users\\{90140000-00b4-0409-1000-0000000ff1ce}-c\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0037.458] FindNextFileW (in: hFindFile=0x535b20, lpFindFileData=0x2d8f070 | out: lpFindFileData=0x2d8f070*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xa5b30b20, ftCreationTime.dwHighDateTime=0x1d305f1, ftLastAccessTime.dwLowDateTime=0xa5bc90a0, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xa5bc90a0, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0037.458] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0037.458] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0037.458] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0037.458] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0037.458] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0037.458] wnsprintfW (in: pszDest=0x5354c0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\..") returned 69 [0037.458] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0037.458] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0037.458] StrStrIW (lpFirst="..", lpSrch=".for") returned 0x0 [0037.458] lstrcmpW (lpString1="..", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned -1 [0037.458] lstrcmpW (lpString1="..", lpString2="taridd") returned -1 [0037.458] StrCmpNW (lpStr1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\..", lpStr2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\3pRMMVYZl7L6YCH05Qf1aBB2Nvhrv3", nChar=122) returned -1 [0037.458] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\.." (normalized: "c:\\msocache\\all users"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0037.458] FindNextFileW (in: hFindFile=0x535b20, lpFindFileData=0x2d8f070 | out: lpFindFileData=0x2d8f070*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x308ae9f0, ftCreationTime.dwHighDateTime=0x1cbe56c, ftLastAccessTime.dwLowDateTime=0x308ae9f0, ftLastAccessTime.dwHighDateTime=0x1cbe56c, ftLastWriteTime.dwLowDateTime=0xa5b55ce0, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x265400, dwReserved0=0x0, dwReserved1=0x0, cFileName="ProjectMUI.msi", cAlternateFileName="PROJEC~1.MSI")) returned 1 [0037.458] lstrcmpiW (lpString1="ProjectMUI.msi", lpString2="Windows") returned -1 [0037.458] lstrcmpiW (lpString1="ProjectMUI.msi", lpString2="$Recycle.bin") returned 1 [0037.458] lstrcmpiW (lpString1="ProjectMUI.msi", lpString2="System Volume Information") returned -1 [0037.458] lstrcmpiW (lpString1="ProjectMUI.msi", lpString2="Program Files") returned 1 [0037.458] lstrcmpiW (lpString1="ProjectMUI.msi", lpString2="Program Files (x86)") returned 1 [0037.458] wnsprintfW (in: pszDest=0x5354c0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.msi") returned 81 [0037.458] StrStrIW (lpFirst="ProjectMUI.msi", lpSrch=".for") returned 0x0 [0037.458] lstrcmpW (lpString1="ProjectMUI.msi", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0037.458] lstrcmpW (lpString1="ProjectMUI.msi", lpString2="taridd") returned -1 [0037.459] StrCmpNW (lpStr1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.msi", lpStr2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\3pRMMVYZl7L6YCH05Qf1aBB2Nvhrv3", nChar=122) returned -1 [0037.459] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-00b4-0409-1000-0000000ff1ce}-c\\projectmui.msi"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x208 [0037.459] GetTickCount () returned 0x1143deb [0037.459] GetTickCount () returned 0x1143deb [0037.459] GetTickCount () returned 0x1143deb [0037.459] GetTickCount () returned 0x1143deb [0037.459] CryptEncrypt (in: hKey=0x4ff5a8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d8ef80*, pdwDataLen=0x2d8f030*=0x2c, dwBufLen=0x80 | out: pbData=0x2d8ef80*, pdwDataLen=0x2d8f030*=0x80) returned 1 [0037.459] GetProcessHeap () returned 0x4e0000 [0037.459] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x2800) returned 0x5044d8 [0037.459] ReadFile (in: hFile=0x208, lpBuffer=0x5044d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x5044d8*, lpNumberOfBytesRead=0x2d8f034*=0x2800, lpOverlapped=0x0) returned 1 [0037.461] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0037.462] WriteFile (in: hFile=0x208, lpBuffer=0x5044d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x5044d8*, lpNumberOfBytesWritten=0x2d8f034*=0x2800, lpOverlapped=0x0) returned 1 [0037.462] GetProcessHeap () returned 0x4e0000 [0037.462] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x5044d8 | out: hHeap=0x4e0000) returned 1 [0037.462] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0037.462] WriteFile (in: hFile=0x208, lpBuffer=0x4ffe10*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x4ffe10*, lpNumberOfBytesWritten=0x2d8f034*=0x300, lpOverlapped=0x0) returned 1 [0037.463] WriteFile (in: hFile=0x208, lpBuffer=0x2d8ef80*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x2d8ef80*, lpNumberOfBytesWritten=0x2d8f034*=0x80, lpOverlapped=0x0) returned 1 [0037.463] WriteFile (in: hFile=0x208, lpBuffer=0x186230*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x186230*, lpNumberOfBytesWritten=0x2d8f034*=0x4, lpOverlapped=0x0) returned 1 [0037.463] CloseHandle (hObject=0x208) returned 1 [0037.463] GetProcessHeap () returned 0x4e0000 [0037.463] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x400) returned 0x5306d0 [0037.463] wnsprintfW (in: pszDest=0x5306d0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.msi_forv_{KNUJ5K}.for") returned 99 [0037.464] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-00b4-0409-1000-0000000ff1ce}-c\\projectmui.msi"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.msi_forv_{KNUJ5K}.for" (normalized: "c:\\msocache\\all users\\{90140000-00b4-0409-1000-0000000ff1ce}-c\\projectmui.msi_forv_{knuj5k}.for")) returned 1 [0037.464] GetProcessHeap () returned 0x4e0000 [0037.464] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x5306d0 | out: hHeap=0x4e0000) returned 1 [0037.464] FindNextFileW (in: hFindFile=0x535b20, lpFindFileData=0x2d8f070 | out: lpFindFileData=0x2d8f070*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x30a2b7b0, ftCreationTime.dwHighDateTime=0x1cbe56c, ftLastAccessTime.dwLowDateTime=0x30a2b7b0, ftLastAccessTime.dwHighDateTime=0x1cbe56c, ftLastWriteTime.dwLowDateTime=0xa5b2ebe0, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x5ac, dwReserved0=0x0, dwReserved1=0x0, cFileName="ProjectMUI.xml", cAlternateFileName="PROJEC~1.XML")) returned 1 [0037.464] lstrcmpiW (lpString1="ProjectMUI.xml", lpString2="Windows") returned -1 [0037.464] lstrcmpiW (lpString1="ProjectMUI.xml", lpString2="$Recycle.bin") returned 1 [0037.464] lstrcmpiW (lpString1="ProjectMUI.xml", lpString2="System Volume Information") returned -1 [0037.464] lstrcmpiW (lpString1="ProjectMUI.xml", lpString2="Program Files") returned 1 [0037.464] lstrcmpiW (lpString1="ProjectMUI.xml", lpString2="Program Files (x86)") returned 1 [0037.464] wnsprintfW (in: pszDest=0x5354c0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml") returned 81 [0037.464] StrStrIW (lpFirst="ProjectMUI.xml", lpSrch=".for") returned 0x0 [0037.464] lstrcmpW (lpString1="ProjectMUI.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0037.464] lstrcmpW (lpString1="ProjectMUI.xml", lpString2="taridd") returned -1 [0037.464] StrCmpNW (lpStr1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml", lpStr2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\3pRMMVYZl7L6YCH05Qf1aBB2Nvhrv3", nChar=122) returned -1 [0037.464] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-00b4-0409-1000-0000000ff1ce}-c\\projectmui.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x208 [0037.465] GetTickCount () returned 0x1143deb [0037.465] GetTickCount () returned 0x1143deb [0037.465] GetTickCount () returned 0x1143deb [0037.465] GetTickCount () returned 0x1143deb [0037.465] CryptEncrypt (in: hKey=0x4ff5a8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d8ef80*, pdwDataLen=0x2d8f030*=0x2c, dwBufLen=0x80 | out: pbData=0x2d8ef80*, pdwDataLen=0x2d8f030*=0x80) returned 1 [0037.465] GetProcessHeap () returned 0x4e0000 [0037.465] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x2800) returned 0x5044d8 [0037.465] ReadFile (in: hFile=0x208, lpBuffer=0x5044d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x5044d8*, lpNumberOfBytesRead=0x2d8f034*=0x5ac, lpOverlapped=0x0) returned 1 [0037.467] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0xfffffa54, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0037.467] WriteFile (in: hFile=0x208, lpBuffer=0x5044d8*, nNumberOfBytesToWrite=0x5ac, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x5044d8*, lpNumberOfBytesWritten=0x2d8f034*=0x5ac, lpOverlapped=0x0) returned 1 [0037.467] GetProcessHeap () returned 0x4e0000 [0037.467] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x5044d8 | out: hHeap=0x4e0000) returned 1 [0037.467] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0037.467] WriteFile (in: hFile=0x208, lpBuffer=0x4ffe10*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x4ffe10*, lpNumberOfBytesWritten=0x2d8f034*=0x300, lpOverlapped=0x0) returned 1 [0037.467] WriteFile (in: hFile=0x208, lpBuffer=0x2d8ef80*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x2d8ef80*, lpNumberOfBytesWritten=0x2d8f034*=0x80, lpOverlapped=0x0) returned 1 [0037.467] WriteFile (in: hFile=0x208, lpBuffer=0x186230*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x186230*, lpNumberOfBytesWritten=0x2d8f034*=0x4, lpOverlapped=0x0) returned 1 [0037.467] CloseHandle (hObject=0x208) returned 1 [0037.467] GetProcessHeap () returned 0x4e0000 [0037.467] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x400) returned 0x5306d0 [0037.467] wnsprintfW (in: pszDest=0x5306d0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml_forv_{KNUJ5K}.for") returned 99 [0037.467] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-00b4-0409-1000-0000000ff1ce}-c\\projectmui.xml"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml_forv_{KNUJ5K}.for" (normalized: "c:\\msocache\\all users\\{90140000-00b4-0409-1000-0000000ff1ce}-c\\projectmui.xml_forv_{knuj5k}.for")) returned 1 [0037.468] GetProcessHeap () returned 0x4e0000 [0037.468] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x5306d0 | out: hHeap=0x4e0000) returned 1 [0037.468] FindNextFileW (in: hFindFile=0x535b20, lpFindFileData=0x2d8f070 | out: lpFindFileData=0x2d8f070*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x30306de0, ftCreationTime.dwHighDateTime=0x1cbe56c, ftLastAccessTime.dwLowDateTime=0x30306de0, ftLastAccessTime.dwHighDateTime=0x1cbe56c, ftLastWriteTime.dwLowDateTime=0xa5b7cde0, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x7e1dcd, dwReserved0=0x0, dwReserved1=0x0, cFileName="ProjLR.cab", cAlternateFileName="")) returned 1 [0037.468] lstrcmpiW (lpString1="ProjLR.cab", lpString2="Windows") returned -1 [0037.468] lstrcmpiW (lpString1="ProjLR.cab", lpString2="$Recycle.bin") returned 1 [0037.468] lstrcmpiW (lpString1="ProjLR.cab", lpString2="System Volume Information") returned -1 [0037.468] lstrcmpiW (lpString1="ProjLR.cab", lpString2="Program Files") returned 1 [0037.468] lstrcmpiW (lpString1="ProjLR.cab", lpString2="Program Files (x86)") returned 1 [0037.468] wnsprintfW (in: pszDest=0x5354c0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab") returned 77 [0037.468] StrStrIW (lpFirst="ProjLR.cab", lpSrch=".for") returned 0x0 [0037.468] lstrcmpW (lpString1="ProjLR.cab", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0037.468] lstrcmpW (lpString1="ProjLR.cab", lpString2="taridd") returned -1 [0037.468] StrCmpNW (lpStr1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab", lpStr2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\3pRMMVYZl7L6YCH05Qf1aBB2Nvhrv3", nChar=122) returned -1 [0037.468] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-00b4-0409-1000-0000000ff1ce}-c\\projlr.cab"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x208 [0037.471] GetTickCount () returned 0x1143dfb [0037.472] GetTickCount () returned 0x1143dfb [0037.472] GetTickCount () returned 0x1143dfb [0037.472] GetTickCount () returned 0x1143dfb [0037.472] CryptEncrypt (in: hKey=0x4ff5a8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d8ef80*, pdwDataLen=0x2d8f030*=0x2c, dwBufLen=0x80 | out: pbData=0x2d8ef80*, pdwDataLen=0x2d8f030*=0x80) returned 1 [0037.472] GetProcessHeap () returned 0x4e0000 [0037.472] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x2800) returned 0x5044d8 [0037.472] ReadFile (in: hFile=0x208, lpBuffer=0x5044d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x5044d8*, lpNumberOfBytesRead=0x2d8f034*=0x2800, lpOverlapped=0x0) returned 1 [0037.474] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0037.474] WriteFile (in: hFile=0x208, lpBuffer=0x5044d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x5044d8*, lpNumberOfBytesWritten=0x2d8f034*=0x2800, lpOverlapped=0x0) returned 1 [0037.474] GetProcessHeap () returned 0x4e0000 [0037.474] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x5044d8 | out: hHeap=0x4e0000) returned 1 [0037.474] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0037.474] WriteFile (in: hFile=0x208, lpBuffer=0x4ffe10*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x4ffe10*, lpNumberOfBytesWritten=0x2d8f034*=0x300, lpOverlapped=0x0) returned 1 [0037.476] WriteFile (in: hFile=0x208, lpBuffer=0x2d8ef80*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x2d8ef80*, lpNumberOfBytesWritten=0x2d8f034*=0x80, lpOverlapped=0x0) returned 1 [0037.476] WriteFile (in: hFile=0x208, lpBuffer=0x186230*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x186230*, lpNumberOfBytesWritten=0x2d8f034*=0x4, lpOverlapped=0x0) returned 1 [0037.476] CloseHandle (hObject=0x208) returned 1 [0037.476] GetProcessHeap () returned 0x4e0000 [0037.476] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x400) returned 0x5306d0 [0037.476] wnsprintfW (in: pszDest=0x5306d0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab_forv_{KNUJ5K}.for") returned 95 [0037.476] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-00b4-0409-1000-0000000ff1ce}-c\\projlr.cab"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab_forv_{KNUJ5K}.for" (normalized: "c:\\msocache\\all users\\{90140000-00b4-0409-1000-0000000ff1ce}-c\\projlr.cab_forv_{knuj5k}.for")) returned 1 [0037.477] GetProcessHeap () returned 0x4e0000 [0037.477] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x5306d0 | out: hHeap=0x4e0000) returned 1 [0037.477] FindNextFileW (in: hFindFile=0x535b20, lpFindFileData=0x2d8f070 | out: lpFindFileData=0x2d8f070*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x309dfcc0, ftCreationTime.dwHighDateTime=0x1cbe56c, ftLastAccessTime.dwLowDateTime=0x309dfcc0, ftLastAccessTime.dwHighDateTime=0x1cbe56c, ftLastWriteTime.dwLowDateTime=0xa5bc88d0, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x750, dwReserved0=0x0, dwReserved1=0x0, cFileName="Setup.xml", cAlternateFileName="")) returned 1 [0037.477] lstrcmpiW (lpString1="Setup.xml", lpString2="Windows") returned -1 [0037.477] lstrcmpiW (lpString1="Setup.xml", lpString2="$Recycle.bin") returned 1 [0037.477] lstrcmpiW (lpString1="Setup.xml", lpString2="System Volume Information") returned -1 [0037.477] lstrcmpiW (lpString1="Setup.xml", lpString2="Program Files") returned 1 [0037.477] lstrcmpiW (lpString1="Setup.xml", lpString2="Program Files (x86)") returned 1 [0037.477] wnsprintfW (in: pszDest=0x5354c0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 76 [0037.477] StrStrIW (lpFirst="Setup.xml", lpSrch=".for") returned 0x0 [0037.477] lstrcmpW (lpString1="Setup.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0037.477] lstrcmpW (lpString1="Setup.xml", lpString2="taridd") returned -1 [0037.477] StrCmpNW (lpStr1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\Setup.xml", lpStr2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\3pRMMVYZl7L6YCH05Qf1aBB2Nvhrv3", nChar=122) returned -1 [0037.477] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-00b4-0409-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x208 [0037.478] GetTickCount () returned 0x1143dfb [0037.478] GetTickCount () returned 0x1143dfb [0037.478] GetTickCount () returned 0x1143dfb [0037.478] GetTickCount () returned 0x1143dfb [0037.478] CryptEncrypt (in: hKey=0x4ff5a8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d8ef80*, pdwDataLen=0x2d8f030*=0x2c, dwBufLen=0x80 | out: pbData=0x2d8ef80*, pdwDataLen=0x2d8f030*=0x80) returned 1 [0037.478] GetProcessHeap () returned 0x4e0000 [0037.478] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x2800) returned 0x5044d8 [0037.478] ReadFile (in: hFile=0x208, lpBuffer=0x5044d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x5044d8*, lpNumberOfBytesRead=0x2d8f034*=0x750, lpOverlapped=0x0) returned 1 [0037.479] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0xfffff8b0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0037.479] WriteFile (in: hFile=0x208, lpBuffer=0x5044d8*, nNumberOfBytesToWrite=0x750, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x5044d8*, lpNumberOfBytesWritten=0x2d8f034*=0x750, lpOverlapped=0x0) returned 1 [0037.480] GetProcessHeap () returned 0x4e0000 [0037.480] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x5044d8 | out: hHeap=0x4e0000) returned 1 [0037.480] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0037.480] WriteFile (in: hFile=0x208, lpBuffer=0x4ffe10*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x4ffe10*, lpNumberOfBytesWritten=0x2d8f034*=0x300, lpOverlapped=0x0) returned 1 [0037.480] WriteFile (in: hFile=0x208, lpBuffer=0x2d8ef80*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x2d8ef80*, lpNumberOfBytesWritten=0x2d8f034*=0x80, lpOverlapped=0x0) returned 1 [0037.480] WriteFile (in: hFile=0x208, lpBuffer=0x186230*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x186230*, lpNumberOfBytesWritten=0x2d8f034*=0x4, lpOverlapped=0x0) returned 1 [0037.480] CloseHandle (hObject=0x208) returned 1 [0037.480] GetProcessHeap () returned 0x4e0000 [0037.480] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x400) returned 0x5306d0 [0037.480] wnsprintfW (in: pszDest=0x5306d0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\Setup.xml_forv_{KNUJ5K}.for") returned 94 [0037.480] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-00b4-0409-1000-0000000ff1ce}-c\\setup.xml"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\Setup.xml_forv_{KNUJ5K}.for" (normalized: "c:\\msocache\\all users\\{90140000-00b4-0409-1000-0000000ff1ce}-c\\setup.xml_forv_{knuj5k}.for")) returned 1 [0037.480] GetProcessHeap () returned 0x4e0000 [0037.480] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x5306d0 | out: hHeap=0x4e0000) returned 1 [0037.480] FindNextFileW (in: hFindFile=0x535b20, lpFindFileData=0x2d8f070 | out: lpFindFileData=0x2d8f070*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x309dfcc0, ftCreationTime.dwHighDateTime=0x1cbe56c, ftLastAccessTime.dwLowDateTime=0x309dfcc0, ftLastAccessTime.dwHighDateTime=0x1cbe56c, ftLastWriteTime.dwLowDateTime=0xa5bc88d0, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x750, dwReserved0=0x0, dwReserved1=0x0, cFileName="Setup.xml", cAlternateFileName="")) returned 0 [0037.481] FindClose (in: hFindFile=0x535b20 | out: hFindFile=0x535b20) returned 1 [0037.481] wnsprintfW (in: pszDest=0x5354c0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 98 [0037.481] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\msocache\\all users\\{90140000-00b4-0409-1000-0000000ff1ce}-c\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x150 [0037.481] WriteFile (in: hFile=0x150, lpBuffer=0x186440*, nNumberOfBytesToWrite=0x2b0, lpNumberOfBytesWritten=0x2d8f03c, lpOverlapped=0x0 | out: lpBuffer=0x186440*, lpNumberOfBytesWritten=0x2d8f03c*=0x2b0, lpOverlapped=0x0) returned 1 [0037.482] CloseHandle (hObject=0x150) returned 1 [0037.482] GetProcessHeap () returned 0x4e0000 [0037.482] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x5354c0 | out: hHeap=0x4e0000) returned 1 [0037.482] FindNextFileW (in: hFindFile=0x535ae0, lpFindFileData=0x2d8f2f8 | out: lpFindFileData=0x2d8f2f8*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xee38cbf0, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xee803530, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xee803530, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="{90140000-00BA-0409-1000-0000000FF1CE}-C", cAlternateFileName="{90140~4")) returned 1 [0037.482] lstrcmpiW (lpString1="{90140000-00BA-0409-1000-0000000FF1CE}-C", lpString2="Windows") returned -1 [0037.482] lstrcmpiW (lpString1="{90140000-00BA-0409-1000-0000000FF1CE}-C", lpString2="$Recycle.bin") returned 1 [0037.482] lstrcmpiW (lpString1="{90140000-00BA-0409-1000-0000000FF1CE}-C", lpString2="System Volume Information") returned -1 [0037.482] lstrcmpiW (lpString1="{90140000-00BA-0409-1000-0000000FF1CE}-C", lpString2="Program Files") returned -1 [0037.482] lstrcmpiW (lpString1="{90140000-00BA-0409-1000-0000000FF1CE}-C", lpString2="Program Files (x86)") returned -1 [0037.482] wnsprintfW (in: pszDest=0x542af8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C") returned 66 [0037.482] lstrcmpW (lpString1="{90140000-00BA-0409-1000-0000000FF1CE}-C", lpString2=".") returned 1 [0037.482] lstrcmpW (lpString1="{90140000-00BA-0409-1000-0000000FF1CE}-C", lpString2="..") returned 1 [0037.482] lstrcmpW (lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0037.482] GetProcessHeap () returned 0x4e0000 [0037.482] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x400) returned 0x5354c0 [0037.482] wnsprintfW (in: pszDest=0x5354c0, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\*") returned 68 [0037.482] FindFirstFileW (in: lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\*", lpFindFileData=0x2d8f070 | out: lpFindFileData=0x2d8f070*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xee38cbf0, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xee803530, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xee803530, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x535b20 [0037.483] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0037.483] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0037.483] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0037.483] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0037.483] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0037.483] wnsprintfW (in: pszDest=0x5354c0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\.") returned 68 [0037.484] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0037.484] StrStrIW (lpFirst=".", lpSrch=".for") returned 0x0 [0037.484] lstrcmpW (lpString1=".", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned -1 [0037.484] lstrcmpW (lpString1=".", lpString2="taridd") returned -1 [0037.484] StrCmpNW (lpStr1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\.", lpStr2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\3pRMMVYZl7L6YCH05Qf1aBB2Nvhrv3", nChar=122) returned -1 [0037.484] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\." (normalized: "c:\\msocache\\all users\\{90140000-00ba-0409-1000-0000000ff1ce}-c\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0037.484] FindNextFileW (in: hFindFile=0x535b20, lpFindFileData=0x2d8f070 | out: lpFindFileData=0x2d8f070*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xee38cbf0, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xee803530, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xee803530, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0037.484] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0037.484] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0037.484] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0037.484] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0037.484] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0037.484] wnsprintfW (in: pszDest=0x5354c0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\..") returned 69 [0037.484] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0037.484] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0037.484] StrStrIW (lpFirst="..", lpSrch=".for") returned 0x0 [0037.484] lstrcmpW (lpString1="..", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned -1 [0037.484] lstrcmpW (lpString1="..", lpString2="taridd") returned -1 [0037.484] StrCmpNW (lpStr1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\..", lpStr2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\3pRMMVYZl7L6YCH05Qf1aBB2Nvhrv3", nChar=122) returned -1 [0037.484] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\.." (normalized: "c:\\msocache\\all users"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0037.484] FindNextFileW (in: hFindFile=0x535b20, lpFindFileData=0x2d8f070 | out: lpFindFileData=0x2d8f070*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xbd907a00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0xbd907a00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xee4bb7b0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x3e7e1f, dwReserved0=0x0, dwReserved1=0x0, cFileName="GrooveLR.cab", cAlternateFileName="")) returned 1 [0037.484] lstrcmpiW (lpString1="GrooveLR.cab", lpString2="Windows") returned -1 [0037.484] lstrcmpiW (lpString1="GrooveLR.cab", lpString2="$Recycle.bin") returned 1 [0037.484] lstrcmpiW (lpString1="GrooveLR.cab", lpString2="System Volume Information") returned -1 [0037.484] lstrcmpiW (lpString1="GrooveLR.cab", lpString2="Program Files") returned -1 [0037.484] lstrcmpiW (lpString1="GrooveLR.cab", lpString2="Program Files (x86)") returned -1 [0037.484] wnsprintfW (in: pszDest=0x5354c0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveLR.cab") returned 79 [0037.484] StrStrIW (lpFirst="GrooveLR.cab", lpSrch=".for") returned 0x0 [0037.484] lstrcmpW (lpString1="GrooveLR.cab", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0037.484] lstrcmpW (lpString1="GrooveLR.cab", lpString2="taridd") returned -1 [0037.484] StrCmpNW (lpStr1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveLR.cab", lpStr2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\3pRMMVYZl7L6YCH05Qf1aBB2Nvhrv3", nChar=122) returned -1 [0037.484] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-00ba-0409-1000-0000000ff1ce}-c\\groovelr.cab"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x208 [0037.485] GetTickCount () returned 0x1143dfb [0037.485] GetTickCount () returned 0x1143dfb [0037.485] GetTickCount () returned 0x1143dfb [0037.485] GetTickCount () returned 0x1143dfb [0037.485] CryptEncrypt (in: hKey=0x4ff5a8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d8ef80*, pdwDataLen=0x2d8f030*=0x2c, dwBufLen=0x80 | out: pbData=0x2d8ef80*, pdwDataLen=0x2d8f030*=0x80) returned 1 [0037.485] GetProcessHeap () returned 0x4e0000 [0037.485] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x2800) returned 0x5044d8 [0037.485] ReadFile (in: hFile=0x208, lpBuffer=0x5044d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x5044d8*, lpNumberOfBytesRead=0x2d8f034*=0x2800, lpOverlapped=0x0) returned 1 [0037.488] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0037.488] WriteFile (in: hFile=0x208, lpBuffer=0x5044d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x5044d8*, lpNumberOfBytesWritten=0x2d8f034*=0x2800, lpOverlapped=0x0) returned 1 [0037.489] GetProcessHeap () returned 0x4e0000 [0037.489] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x5044d8 | out: hHeap=0x4e0000) returned 1 [0037.489] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0037.489] WriteFile (in: hFile=0x208, lpBuffer=0x4ffe10*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x4ffe10*, lpNumberOfBytesWritten=0x2d8f034*=0x300, lpOverlapped=0x0) returned 1 [0037.490] WriteFile (in: hFile=0x208, lpBuffer=0x2d8ef80*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x2d8ef80*, lpNumberOfBytesWritten=0x2d8f034*=0x80, lpOverlapped=0x0) returned 1 [0037.490] WriteFile (in: hFile=0x208, lpBuffer=0x186230*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x186230*, lpNumberOfBytesWritten=0x2d8f034*=0x4, lpOverlapped=0x0) returned 1 [0037.490] CloseHandle (hObject=0x208) returned 1 [0037.490] GetProcessHeap () returned 0x4e0000 [0037.490] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x400) returned 0x5306d0 [0037.491] wnsprintfW (in: pszDest=0x5306d0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveLR.cab_forv_{KNUJ5K}.for") returned 97 [0037.491] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-00ba-0409-1000-0000000ff1ce}-c\\groovelr.cab"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveLR.cab_forv_{KNUJ5K}.for" (normalized: "c:\\msocache\\all users\\{90140000-00ba-0409-1000-0000000ff1ce}-c\\groovelr.cab_forv_{knuj5k}.for")) returned 1 [0037.491] GetProcessHeap () returned 0x4e0000 [0037.491] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x5306d0 | out: hHeap=0x4e0000) returned 1 [0037.491] FindNextFileW (in: hFindFile=0x535b20, lpFindFileData=0x2d8f070 | out: lpFindFileData=0x2d8f070*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xbd907a00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0xbd907a00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xee3b15e0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x264400, dwReserved0=0x0, dwReserved1=0x0, cFileName="GrooveMUI.msi", cAlternateFileName="GROOVE~1.MSI")) returned 1 [0037.491] lstrcmpiW (lpString1="GrooveMUI.msi", lpString2="Windows") returned -1 [0037.491] lstrcmpiW (lpString1="GrooveMUI.msi", lpString2="$Recycle.bin") returned 1 [0037.491] lstrcmpiW (lpString1="GrooveMUI.msi", lpString2="System Volume Information") returned -1 [0037.491] lstrcmpiW (lpString1="GrooveMUI.msi", lpString2="Program Files") returned -1 [0037.491] lstrcmpiW (lpString1="GrooveMUI.msi", lpString2="Program Files (x86)") returned -1 [0037.491] wnsprintfW (in: pszDest=0x5354c0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.msi") returned 80 [0037.491] StrStrIW (lpFirst="GrooveMUI.msi", lpSrch=".for") returned 0x0 [0037.491] lstrcmpW (lpString1="GrooveMUI.msi", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0037.491] lstrcmpW (lpString1="GrooveMUI.msi", lpString2="taridd") returned -1 [0037.491] StrCmpNW (lpStr1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.msi", lpStr2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\3pRMMVYZl7L6YCH05Qf1aBB2Nvhrv3", nChar=122) returned -1 [0037.491] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-00ba-0409-1000-0000000ff1ce}-c\\groovemui.msi"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x208 [0037.491] GetTickCount () returned 0x1143e0a [0037.491] GetTickCount () returned 0x1143e0a [0037.491] GetTickCount () returned 0x1143e0a [0037.491] GetTickCount () returned 0x1143e0a [0037.492] CryptEncrypt (in: hKey=0x4ff5a8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d8ef80*, pdwDataLen=0x2d8f030*=0x2c, dwBufLen=0x80 | out: pbData=0x2d8ef80*, pdwDataLen=0x2d8f030*=0x80) returned 1 [0037.492] GetProcessHeap () returned 0x4e0000 [0037.492] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x2800) returned 0x5044d8 [0037.492] ReadFile (in: hFile=0x208, lpBuffer=0x5044d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x5044d8*, lpNumberOfBytesRead=0x2d8f034*=0x2800, lpOverlapped=0x0) returned 1 [0037.496] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0037.497] WriteFile (in: hFile=0x208, lpBuffer=0x5044d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x5044d8*, lpNumberOfBytesWritten=0x2d8f034*=0x2800, lpOverlapped=0x0) returned 1 [0037.662] GetProcessHeap () returned 0x4e0000 [0037.664] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x5044d8 | out: hHeap=0x4e0000) returned 1 [0037.664] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0037.667] WriteFile (in: hFile=0x208, lpBuffer=0x4ffe10*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x4ffe10*, lpNumberOfBytesWritten=0x2d8f034*=0x300, lpOverlapped=0x0) returned 1 [0037.688] WriteFile (in: hFile=0x208, lpBuffer=0x2d8ef80*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x2d8ef80*, lpNumberOfBytesWritten=0x2d8f034*=0x80, lpOverlapped=0x0) returned 1 [0037.690] WriteFile (in: hFile=0x208, lpBuffer=0x186230*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x186230*, lpNumberOfBytesWritten=0x2d8f034*=0x4, lpOverlapped=0x0) returned 1 [0037.691] CloseHandle (hObject=0x208) returned 1 [0037.694] GetProcessHeap () returned 0x4e0000 [0037.694] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x400) returned 0x5306d0 [0037.695] wnsprintfW (in: pszDest=0x5306d0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.msi_forv_{KNUJ5K}.for") returned 98 [0037.696] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-00ba-0409-1000-0000000ff1ce}-c\\groovemui.msi"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.msi_forv_{KNUJ5K}.for" (normalized: "c:\\msocache\\all users\\{90140000-00ba-0409-1000-0000000ff1ce}-c\\groovemui.msi_forv_{knuj5k}.for")) returned 1 [0037.704] GetProcessHeap () returned 0x4e0000 [0037.705] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x5306d0 | out: hHeap=0x4e0000) returned 1 [0037.705] FindNextFileW (in: hFindFile=0x535b20, lpFindFileData=0x2d8f070 | out: lpFindFileData=0x2d8f070*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xbec1a700, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0xbec1a700, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xee38cbf0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x391, dwReserved0=0x0, dwReserved1=0x0, cFileName="GrooveMUI.xml", cAlternateFileName="GROOVE~1.XML")) returned 1 [0037.706] lstrcmpiW (lpString1="GrooveMUI.xml", lpString2="Windows") returned -1 [0037.706] lstrcmpiW (lpString1="GrooveMUI.xml", lpString2="$Recycle.bin") returned 1 [0037.707] lstrcmpiW (lpString1="GrooveMUI.xml", lpString2="System Volume Information") returned -1 [0037.707] lstrcmpiW (lpString1="GrooveMUI.xml", lpString2="Program Files") returned -1 [0037.707] lstrcmpiW (lpString1="GrooveMUI.xml", lpString2="Program Files (x86)") returned -1 [0037.708] wnsprintfW (in: pszDest=0x5354c0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.xml") returned 80 [0037.709] StrStrIW (lpFirst="GrooveMUI.xml", lpSrch=".for") returned 0x0 [0037.712] lstrcmpW (lpString1="GrooveMUI.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0037.712] lstrcmpW (lpString1="GrooveMUI.xml", lpString2="taridd") returned -1 [0037.714] StrCmpNW (lpStr1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.xml", lpStr2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\3pRMMVYZl7L6YCH05Qf1aBB2Nvhrv3", nChar=122) returned -1 [0037.717] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-00ba-0409-1000-0000000ff1ce}-c\\groovemui.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x208 [0037.722] GetTickCount () returned 0x1143ef4 [0037.722] GetTickCount () returned 0x1143ef4 [0037.723] GetTickCount () returned 0x1143ef4 [0037.724] GetTickCount () returned 0x1143ef4 [0037.725] CryptEncrypt (in: hKey=0x4ff5a8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d8ef80*, pdwDataLen=0x2d8f030*=0x2c, dwBufLen=0x80 | out: pbData=0x2d8ef80*, pdwDataLen=0x2d8f030*=0x80) returned 1 [0037.729] GetProcessHeap () returned 0x4e0000 [0037.729] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x2800) returned 0x5044d8 [0037.730] ReadFile (in: hFile=0x208, lpBuffer=0x5044d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x5044d8*, lpNumberOfBytesRead=0x2d8f034*=0x391, lpOverlapped=0x0) returned 1 [0037.792] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0xfffffc6f, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0037.794] WriteFile (in: hFile=0x208, lpBuffer=0x5044d8*, nNumberOfBytesToWrite=0x391, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x5044d8*, lpNumberOfBytesWritten=0x2d8f034*=0x391, lpOverlapped=0x0) returned 1 [0037.797] GetProcessHeap () returned 0x4e0000 [0037.798] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x5044d8 | out: hHeap=0x4e0000) returned 1 [0037.799] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0037.802] WriteFile (in: hFile=0x208, lpBuffer=0x4ffe10*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x4ffe10*, lpNumberOfBytesWritten=0x2d8f034*=0x300, lpOverlapped=0x0) returned 1 [0037.805] WriteFile (in: hFile=0x208, lpBuffer=0x2d8ef80*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x2d8ef80*, lpNumberOfBytesWritten=0x2d8f034*=0x80, lpOverlapped=0x0) returned 1 [0037.807] WriteFile (in: hFile=0x208, lpBuffer=0x186230*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x186230*, lpNumberOfBytesWritten=0x2d8f034*=0x4, lpOverlapped=0x0) returned 1 [0037.810] CloseHandle (hObject=0x208) returned 1 [0037.815] GetProcessHeap () returned 0x4e0000 [0037.816] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x400) returned 0x5306d0 [0037.818] wnsprintfW (in: pszDest=0x5306d0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.xml_forv_{KNUJ5K}.for") returned 98 [0037.819] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-00ba-0409-1000-0000000ff1ce}-c\\groovemui.xml"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.xml_forv_{KNUJ5K}.for" (normalized: "c:\\msocache\\all users\\{90140000-00ba-0409-1000-0000000ff1ce}-c\\groovemui.xml_forv_{knuj5k}.for")) returned 1 [0037.833] GetProcessHeap () returned 0x4e0000 [0037.833] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x5306d0 | out: hHeap=0x4e0000) returned 1 [0037.835] FindNextFileW (in: hFindFile=0x535b20, lpFindFileData=0x2d8f070 | out: lpFindFileData=0x2d8f070*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xbec1a700, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0xbec1a700, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xee803530, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x5ac, dwReserved0=0x0, dwReserved1=0x0, cFileName="Setup.xml", cAlternateFileName="")) returned 1 [0037.835] lstrcmpiW (lpString1="Setup.xml", lpString2="Windows") returned -1 [0037.837] lstrcmpiW (lpString1="Setup.xml", lpString2="$Recycle.bin") returned 1 [0037.838] lstrcmpiW (lpString1="Setup.xml", lpString2="System Volume Information") returned -1 [0037.839] lstrcmpiW (lpString1="Setup.xml", lpString2="Program Files") returned 1 [0037.842] lstrcmpiW (lpString1="Setup.xml", lpString2="Program Files (x86)") returned 1 [0037.843] wnsprintfW (in: pszDest=0x5354c0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 76 [0037.844] StrStrIW (lpFirst="Setup.xml", lpSrch=".for") returned 0x0 [0037.845] lstrcmpW (lpString1="Setup.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0037.846] lstrcmpW (lpString1="Setup.xml", lpString2="taridd") returned -1 [0037.846] StrCmpNW (lpStr1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\Setup.xml", lpStr2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\3pRMMVYZl7L6YCH05Qf1aBB2Nvhrv3", nChar=122) returned -1 [0037.848] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-00ba-0409-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x208 [0037.856] GetTickCount () returned 0x1143f71 [0037.857] GetTickCount () returned 0x1143f71 [0037.857] GetTickCount () returned 0x1143f71 [0037.857] GetTickCount () returned 0x1143f71 [0037.859] CryptEncrypt (in: hKey=0x4ff5a8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d8ef80*, pdwDataLen=0x2d8f030*=0x2c, dwBufLen=0x80 | out: pbData=0x2d8ef80*, pdwDataLen=0x2d8f030*=0x80) returned 1 [0037.865] GetProcessHeap () returned 0x4e0000 [0037.866] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x2800) returned 0x5044d8 [0037.880] ReadFile (in: hFile=0x208, lpBuffer=0x5044d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x5044d8*, lpNumberOfBytesRead=0x2d8f034*=0x5ac, lpOverlapped=0x0) returned 1 [0037.881] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0xfffffa54, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0037.881] WriteFile (in: hFile=0x208, lpBuffer=0x5044d8*, nNumberOfBytesToWrite=0x5ac, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x5044d8*, lpNumberOfBytesWritten=0x2d8f034*=0x5ac, lpOverlapped=0x0) returned 1 [0037.881] GetProcessHeap () returned 0x4e0000 [0037.881] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x5044d8 | out: hHeap=0x4e0000) returned 1 [0037.881] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0037.882] WriteFile (in: hFile=0x208, lpBuffer=0x4ffe10*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x4ffe10*, lpNumberOfBytesWritten=0x2d8f034*=0x300, lpOverlapped=0x0) returned 1 [0037.882] WriteFile (in: hFile=0x208, lpBuffer=0x2d8ef80*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x2d8ef80*, lpNumberOfBytesWritten=0x2d8f034*=0x80, lpOverlapped=0x0) returned 1 [0037.882] WriteFile (in: hFile=0x208, lpBuffer=0x186230*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x186230*, lpNumberOfBytesWritten=0x2d8f034*=0x4, lpOverlapped=0x0) returned 1 [0037.882] CloseHandle (hObject=0x208) returned 1 [0037.882] GetProcessHeap () returned 0x4e0000 [0037.882] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x400) returned 0x5306d0 [0037.882] wnsprintfW (in: pszDest=0x5306d0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\Setup.xml_forv_{KNUJ5K}.for") returned 94 [0037.882] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-00ba-0409-1000-0000000ff1ce}-c\\setup.xml"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\Setup.xml_forv_{KNUJ5K}.for" (normalized: "c:\\msocache\\all users\\{90140000-00ba-0409-1000-0000000ff1ce}-c\\setup.xml_forv_{knuj5k}.for")) returned 1 [0037.883] GetProcessHeap () returned 0x4e0000 [0037.883] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x5306d0 | out: hHeap=0x4e0000) returned 1 [0037.883] FindNextFileW (in: hFindFile=0x535b20, lpFindFileData=0x2d8f070 | out: lpFindFileData=0x2d8f070*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xbec1a700, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0xbec1a700, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xee803530, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x5ac, dwReserved0=0x0, dwReserved1=0x0, cFileName="Setup.xml", cAlternateFileName="")) returned 0 [0037.883] FindClose (in: hFindFile=0x535b20 | out: hFindFile=0x535b20) returned 1 [0037.883] wnsprintfW (in: pszDest=0x5354c0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 98 [0037.883] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\msocache\\all users\\{90140000-00ba-0409-1000-0000000ff1ce}-c\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x150 [0037.883] WriteFile (in: hFile=0x150, lpBuffer=0x186440*, nNumberOfBytesToWrite=0x2b0, lpNumberOfBytesWritten=0x2d8f03c, lpOverlapped=0x0 | out: lpBuffer=0x186440*, lpNumberOfBytesWritten=0x2d8f03c*=0x2b0, lpOverlapped=0x0) returned 1 [0037.884] CloseHandle (hObject=0x150) returned 1 [0037.884] GetProcessHeap () returned 0x4e0000 [0037.884] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x5354c0 | out: hHeap=0x4e0000) returned 1 [0037.884] FindNextFileW (in: hFindFile=0x535ae0, lpFindFileData=0x2d8f2f8 | out: lpFindFileData=0x2d8f2f8*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xe7b68970, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xe8729610, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xe8729610, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="{90140000-0115-0409-1000-0000000FF1CE}-C", cAlternateFileName="{90140~1")) returned 1 [0037.884] lstrcmpiW (lpString1="{90140000-0115-0409-1000-0000000FF1CE}-C", lpString2="Windows") returned -1 [0037.884] lstrcmpiW (lpString1="{90140000-0115-0409-1000-0000000FF1CE}-C", lpString2="$Recycle.bin") returned 1 [0037.884] lstrcmpiW (lpString1="{90140000-0115-0409-1000-0000000FF1CE}-C", lpString2="System Volume Information") returned -1 [0037.884] lstrcmpiW (lpString1="{90140000-0115-0409-1000-0000000FF1CE}-C", lpString2="Program Files") returned -1 [0037.884] lstrcmpiW (lpString1="{90140000-0115-0409-1000-0000000FF1CE}-C", lpString2="Program Files (x86)") returned -1 [0037.884] wnsprintfW (in: pszDest=0x542af8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C") returned 66 [0037.884] lstrcmpW (lpString1="{90140000-0115-0409-1000-0000000FF1CE}-C", lpString2=".") returned 1 [0037.884] lstrcmpW (lpString1="{90140000-0115-0409-1000-0000000FF1CE}-C", lpString2="..") returned 1 [0037.884] lstrcmpW (lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0037.884] GetProcessHeap () returned 0x4e0000 [0037.884] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x400) returned 0x5354c0 [0037.884] wnsprintfW (in: pszDest=0x5354c0, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\*") returned 68 [0037.884] FindFirstFileW (in: lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\*", lpFindFileData=0x2d8f070 | out: lpFindFileData=0x2d8f070*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xe7b68970, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xe8729610, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xe8729610, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x535b20 [0037.886] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0037.886] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0037.886] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0037.886] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0037.886] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0037.886] wnsprintfW (in: pszDest=0x5354c0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\.") returned 68 [0037.886] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0037.886] StrStrIW (lpFirst=".", lpSrch=".for") returned 0x0 [0037.886] lstrcmpW (lpString1=".", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned -1 [0037.886] lstrcmpW (lpString1=".", lpString2="taridd") returned -1 [0037.886] StrCmpNW (lpStr1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\.", lpStr2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\3pRMMVYZl7L6YCH05Qf1aBB2Nvhrv3", nChar=122) returned -1 [0037.886] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\." (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0037.886] FindNextFileW (in: hFindFile=0x535b20, lpFindFileData=0x2d8f070 | out: lpFindFileData=0x2d8f070*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xe7b68970, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xe8729610, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xe8729610, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0037.886] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0037.886] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0037.886] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0037.886] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0037.886] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0037.886] wnsprintfW (in: pszDest=0x5354c0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\..") returned 69 [0037.886] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0037.886] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0037.886] StrStrIW (lpFirst="..", lpSrch=".for") returned 0x0 [0037.887] lstrcmpW (lpString1="..", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned -1 [0037.887] lstrcmpW (lpString1="..", lpString2="taridd") returned -1 [0037.887] StrCmpNW (lpStr1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\..", lpStr2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\3pRMMVYZl7L6YCH05Qf1aBB2Nvhrv3", nChar=122) returned -1 [0037.887] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\.." (normalized: "c:\\msocache\\all users"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0037.887] FindNextFileW (in: hFindFile=0x535b20, lpFindFileData=0x2d8f070 | out: lpFindFileData=0x2d8f070*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xe8691090, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xe8691090, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xe8691090, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="1033", cAlternateFileName="")) returned 1 [0037.887] lstrcmpiW (lpString1="1033", lpString2="Windows") returned -1 [0037.887] lstrcmpiW (lpString1="1033", lpString2="$Recycle.bin") returned 1 [0037.887] lstrcmpiW (lpString1="1033", lpString2="System Volume Information") returned -1 [0037.887] lstrcmpiW (lpString1="1033", lpString2="Program Files") returned -1 [0037.887] lstrcmpiW (lpString1="1033", lpString2="Program Files (x86)") returned -1 [0037.887] wnsprintfW (in: pszDest=0x5354c0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\1033") returned 71 [0037.887] lstrcmpW (lpString1="1033", lpString2=".") returned 1 [0037.887] lstrcmpW (lpString1="1033", lpString2="..") returned 1 [0037.887] lstrcmpW (lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\1033", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0037.887] GetProcessHeap () returned 0x4e0000 [0037.887] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x400) returned 0x5306d0 [0037.887] wnsprintfW (in: pszDest=0x5306d0, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\1033\\*") returned 73 [0037.887] FindFirstFileW (in: lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\1033\\*", lpFindFileData=0x2d8ede8 | out: lpFindFileData=0x2d8ede8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xe8691090, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xe8691090, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xe8691090, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x535b60 [0037.888] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0037.888] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0037.888] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0037.888] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0037.888] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0037.888] wnsprintfW (in: pszDest=0x5306d0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\1033\\.") returned 73 [0037.888] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0037.888] FindNextFileW (in: hFindFile=0x535b60, lpFindFileData=0x2d8ede8 | out: lpFindFileData=0x2d8ede8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xe8691090, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xe8691090, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xe8691090, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0037.888] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0037.888] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0037.888] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0037.888] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0037.888] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0037.888] wnsprintfW (in: pszDest=0x5306d0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\1033\\..") returned 74 [0037.888] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0037.888] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0037.888] FindNextFileW (in: hFindFile=0x535b60, lpFindFileData=0x2d8ede8 | out: lpFindFileData=0x2d8ede8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x6a35700, ftCreationTime.dwHighDateTime=0x1cac9d7, ftLastAccessTime.dwLowDateTime=0x6a35700, ftLastAccessTime.dwHighDateTime=0x1cac9d7, ftLastWriteTime.dwLowDateTime=0xe8691090, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x1a588, dwReserved0=0x0, dwReserved1=0x0, cFileName="dwintl20.dll", cAlternateFileName="")) returned 1 [0037.888] lstrcmpiW (lpString1="dwintl20.dll", lpString2="Windows") returned -1 [0037.888] lstrcmpiW (lpString1="dwintl20.dll", lpString2="$Recycle.bin") returned 1 [0037.888] lstrcmpiW (lpString1="dwintl20.dll", lpString2="System Volume Information") returned -1 [0037.888] lstrcmpiW (lpString1="dwintl20.dll", lpString2="Program Files") returned -1 [0037.889] lstrcmpiW (lpString1="dwintl20.dll", lpString2="Program Files (x86)") returned -1 [0037.889] wnsprintfW (in: pszDest=0x5306d0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\1033\\dwintl20.dll") returned 84 [0037.889] StrStrIW (lpFirst="dwintl20.dll", lpSrch=".for") returned 0x0 [0037.889] lstrcmpW (lpString1="dwintl20.dll", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0037.889] lstrcmpW (lpString1="dwintl20.dll", lpString2="taridd") returned -1 [0037.889] StrCmpNW (lpStr1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\1033\\dwintl20.dll", lpStr2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\3pRMMVYZl7L6YCH05Qf1aBB2Nvhrv3", nChar=122) returned -1 [0037.889] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\1033\\dwintl20.dll" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\1033\\dwintl20.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x204 [0037.889] GetTickCount () returned 0x1143f90 [0037.889] GetTickCount () returned 0x1143f90 [0037.889] GetTickCount () returned 0x1143f90 [0037.889] GetTickCount () returned 0x1143f90 [0037.889] CryptEncrypt (in: hKey=0x4ff5a8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d8ecf8*, pdwDataLen=0x2d8eda8*=0x2c, dwBufLen=0x80 | out: pbData=0x2d8ecf8*, pdwDataLen=0x2d8eda8*=0x80) returned 1 [0037.889] GetProcessHeap () returned 0x4e0000 [0037.889] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x2800) returned 0x5054e0 [0037.889] ReadFile (in: hFile=0x204, lpBuffer=0x5054e0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2d8edac, lpOverlapped=0x0 | out: lpBuffer=0x5054e0*, lpNumberOfBytesRead=0x2d8edac*=0x2800, lpOverlapped=0x0) returned 1 [0037.891] SetFilePointerEx (in: hFile=0x204, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0037.891] WriteFile (in: hFile=0x204, lpBuffer=0x5054e0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2d8edac, lpOverlapped=0x0 | out: lpBuffer=0x5054e0*, lpNumberOfBytesWritten=0x2d8edac*=0x2800, lpOverlapped=0x0) returned 1 [0037.891] GetProcessHeap () returned 0x4e0000 [0037.891] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x5054e0 | out: hHeap=0x4e0000) returned 1 [0037.891] SetFilePointerEx (in: hFile=0x204, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0037.891] WriteFile (in: hFile=0x204, lpBuffer=0x4ffe10*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x2d8edac, lpOverlapped=0x0 | out: lpBuffer=0x4ffe10*, lpNumberOfBytesWritten=0x2d8edac*=0x300, lpOverlapped=0x0) returned 1 [0037.892] WriteFile (in: hFile=0x204, lpBuffer=0x2d8ecf8*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x2d8edac, lpOverlapped=0x0 | out: lpBuffer=0x2d8ecf8*, lpNumberOfBytesWritten=0x2d8edac*=0x80, lpOverlapped=0x0) returned 1 [0037.892] WriteFile (in: hFile=0x204, lpBuffer=0x186230*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2d8edac, lpOverlapped=0x0 | out: lpBuffer=0x186230*, lpNumberOfBytesWritten=0x2d8edac*=0x4, lpOverlapped=0x0) returned 1 [0037.892] CloseHandle (hObject=0x204) returned 1 [0037.892] GetProcessHeap () returned 0x4e0000 [0037.893] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x400) returned 0x543228 [0037.893] wnsprintfW (in: pszDest=0x543228, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\1033\\dwintl20.dll_forv_{KNUJ5K}.for") returned 102 [0037.893] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\1033\\dwintl20.dll" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\1033\\dwintl20.dll"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\1033\\dwintl20.dll_forv_{KNUJ5K}.for" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\1033\\dwintl20.dll_forv_{knuj5k}.for")) returned 1 [0037.893] GetProcessHeap () returned 0x4e0000 [0037.893] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x543228 | out: hHeap=0x4e0000) returned 1 [0037.893] FindNextFileW (in: hFindFile=0x535b60, lpFindFileData=0x2d8ede8 | out: lpFindFileData=0x2d8ede8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x6a35700, ftCreationTime.dwHighDateTime=0x1cac9d7, ftLastAccessTime.dwLowDateTime=0x6a35700, ftLastAccessTime.dwHighDateTime=0x1cac9d7, ftLastWriteTime.dwLowDateTime=0xe8691090, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x1a588, dwReserved0=0x0, dwReserved1=0x0, cFileName="dwintl20.dll", cAlternateFileName="")) returned 0 [0037.893] FindClose (in: hFindFile=0x535b60 | out: hFindFile=0x535b60) returned 1 [0037.893] wnsprintfW (in: pszDest=0x5306d0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\1033\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 103 [0037.893] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\1033\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\1033\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x208 [0037.893] WriteFile (in: hFile=0x208, lpBuffer=0x186440*, nNumberOfBytesToWrite=0x2b0, lpNumberOfBytesWritten=0x2d8edb4, lpOverlapped=0x0 | out: lpBuffer=0x186440*, lpNumberOfBytesWritten=0x2d8edb4*=0x2b0, lpOverlapped=0x0) returned 1 [0037.894] CloseHandle (hObject=0x208) returned 1 [0037.894] GetProcessHeap () returned 0x4e0000 [0037.894] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x5306d0 | out: hHeap=0x4e0000) returned 1 [0037.894] FindNextFileW (in: hFindFile=0x535b20, lpFindFileData=0x2d8f070 | out: lpFindFileData=0x2d8f070*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x11e8ef00, ftCreationTime.dwHighDateTime=0x1cacdea, ftLastAccessTime.dwLowDateTime=0x11e8ef00, ftLastAccessTime.dwHighDateTime=0x1cacdea, ftLastWriteTime.dwLowDateTime=0xe84c60d0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x91975, dwReserved0=0x0, dwReserved1=0x0, cFileName="branding.xml", cAlternateFileName="")) returned 1 [0037.894] lstrcmpiW (lpString1="branding.xml", lpString2="Windows") returned -1 [0037.894] lstrcmpiW (lpString1="branding.xml", lpString2="$Recycle.bin") returned 1 [0037.894] lstrcmpiW (lpString1="branding.xml", lpString2="System Volume Information") returned -1 [0037.895] lstrcmpiW (lpString1="branding.xml", lpString2="Program Files") returned -1 [0037.895] lstrcmpiW (lpString1="branding.xml", lpString2="Program Files (x86)") returned -1 [0037.895] wnsprintfW (in: pszDest=0x5354c0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml") returned 79 [0037.895] StrStrIW (lpFirst="branding.xml", lpSrch=".for") returned 0x0 [0037.895] lstrcmpW (lpString1="branding.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0037.895] lstrcmpW (lpString1="branding.xml", lpString2="taridd") returned -1 [0037.895] StrCmpNW (lpStr1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml", lpStr2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\3pRMMVYZl7L6YCH05Qf1aBB2Nvhrv3", nChar=122) returned -1 [0037.895] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\branding.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x208 [0037.895] GetTickCount () returned 0x1143fa0 [0037.895] GetTickCount () returned 0x1143fa0 [0037.895] GetTickCount () returned 0x1143fa0 [0037.895] GetTickCount () returned 0x1143fa0 [0037.896] CryptEncrypt (in: hKey=0x4ff5a8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d8ef80*, pdwDataLen=0x2d8f030*=0x2c, dwBufLen=0x80 | out: pbData=0x2d8ef80*, pdwDataLen=0x2d8f030*=0x80) returned 1 [0037.896] GetProcessHeap () returned 0x4e0000 [0037.896] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x2800) returned 0x5044d8 [0037.896] ReadFile (in: hFile=0x208, lpBuffer=0x5044d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x5044d8*, lpNumberOfBytesRead=0x2d8f034*=0x2800, lpOverlapped=0x0) returned 1 [0037.897] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0037.898] WriteFile (in: hFile=0x208, lpBuffer=0x5044d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x5044d8*, lpNumberOfBytesWritten=0x2d8f034*=0x2800, lpOverlapped=0x0) returned 1 [0037.898] GetProcessHeap () returned 0x4e0000 [0037.898] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x5044d8 | out: hHeap=0x4e0000) returned 1 [0037.898] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0037.898] WriteFile (in: hFile=0x208, lpBuffer=0x4ffe10*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x4ffe10*, lpNumberOfBytesWritten=0x2d8f034*=0x300, lpOverlapped=0x0) returned 1 [0037.900] WriteFile (in: hFile=0x208, lpBuffer=0x2d8ef80*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x2d8ef80*, lpNumberOfBytesWritten=0x2d8f034*=0x80, lpOverlapped=0x0) returned 1 [0037.900] WriteFile (in: hFile=0x208, lpBuffer=0x186230*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x186230*, lpNumberOfBytesWritten=0x2d8f034*=0x4, lpOverlapped=0x0) returned 1 [0037.900] CloseHandle (hObject=0x208) returned 1 [0037.900] GetProcessHeap () returned 0x4e0000 [0037.900] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x400) returned 0x5306d0 [0037.900] wnsprintfW (in: pszDest=0x5306d0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml_forv_{KNUJ5K}.for") returned 97 [0037.900] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\branding.xml"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml_forv_{KNUJ5K}.for" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\branding.xml_forv_{knuj5k}.for")) returned 1 [0037.900] GetProcessHeap () returned 0x4e0000 [0037.900] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x5306d0 | out: hHeap=0x4e0000) returned 1 [0037.900] FindNextFileW (in: hFindFile=0x535b20, lpFindFileData=0x2d8f070 | out: lpFindFileData=0x2d8f070*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xa26c9d00, ftCreationTime.dwHighDateTime=0x1cac9ae, ftLastAccessTime.dwLowDateTime=0xa26c9d00, ftLastAccessTime.dwHighDateTime=0x1cac9ae, ftLastWriteTime.dwLowDateTime=0xe85142d0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0xccb88, dwReserved0=0x0, dwReserved1=0x0, cFileName="DW20.EXE", cAlternateFileName="")) returned 1 [0037.900] lstrcmpiW (lpString1="DW20.EXE", lpString2="Windows") returned -1 [0037.901] lstrcmpiW (lpString1="DW20.EXE", lpString2="$Recycle.bin") returned 1 [0037.901] lstrcmpiW (lpString1="DW20.EXE", lpString2="System Volume Information") returned -1 [0037.901] lstrcmpiW (lpString1="DW20.EXE", lpString2="Program Files") returned -1 [0037.901] lstrcmpiW (lpString1="DW20.EXE", lpString2="Program Files (x86)") returned -1 [0037.901] wnsprintfW (in: pszDest=0x5354c0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\DW20.EXE") returned 75 [0037.901] StrStrIW (lpFirst="DW20.EXE", lpSrch=".for") returned 0x0 [0037.901] lstrcmpW (lpString1="DW20.EXE", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0037.901] lstrcmpW (lpString1="DW20.EXE", lpString2="taridd") returned -1 [0037.901] StrCmpNW (lpStr1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\DW20.EXE", lpStr2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\3pRMMVYZl7L6YCH05Qf1aBB2Nvhrv3", nChar=122) returned -1 [0037.901] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\DW20.EXE" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\dw20.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x208 [0038.212] GetTickCount () returned 0x11440d8 [0038.212] GetTickCount () returned 0x11440d8 [0038.212] GetTickCount () returned 0x11440d8 [0038.212] GetTickCount () returned 0x11440d8 [0038.212] CryptEncrypt (in: hKey=0x4ff5a8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d8ef80*, pdwDataLen=0x2d8f030*=0x2c, dwBufLen=0x80 | out: pbData=0x2d8ef80*, pdwDataLen=0x2d8f030*=0x80) returned 1 [0038.212] GetProcessHeap () returned 0x4e0000 [0038.212] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x2800) returned 0x5064d8 [0038.212] ReadFile (in: hFile=0x208, lpBuffer=0x5064d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x5064d8*, lpNumberOfBytesRead=0x2d8f034*=0x2800, lpOverlapped=0x0) returned 1 [0038.237] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0038.237] WriteFile (in: hFile=0x208, lpBuffer=0x5064d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x5064d8*, lpNumberOfBytesWritten=0x2d8f034*=0x2800, lpOverlapped=0x0) returned 1 [0038.237] GetProcessHeap () returned 0x4e0000 [0038.237] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x5064d8 | out: hHeap=0x4e0000) returned 1 [0038.237] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0038.237] WriteFile (in: hFile=0x208, lpBuffer=0x4ffe10*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x4ffe10*, lpNumberOfBytesWritten=0x2d8f034*=0x300, lpOverlapped=0x0) returned 1 [0038.239] WriteFile (in: hFile=0x208, lpBuffer=0x2d8ef80*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x2d8ef80*, lpNumberOfBytesWritten=0x2d8f034*=0x80, lpOverlapped=0x0) returned 1 [0038.239] WriteFile (in: hFile=0x208, lpBuffer=0x186230*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x186230*, lpNumberOfBytesWritten=0x2d8f034*=0x4, lpOverlapped=0x0) returned 1 [0038.239] CloseHandle (hObject=0x208) returned 1 [0038.240] GetProcessHeap () returned 0x4e0000 [0038.240] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x400) returned 0x5306d0 [0038.240] wnsprintfW (in: pszDest=0x5306d0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\DW20.EXE_forv_{KNUJ5K}.for") returned 93 [0038.240] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\DW20.EXE" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\dw20.exe"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\DW20.EXE_forv_{KNUJ5K}.for" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\dw20.exe_forv_{knuj5k}.for")) returned 1 [0038.240] GetProcessHeap () returned 0x4e0000 [0038.240] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x5306d0 | out: hHeap=0x4e0000) returned 1 [0038.240] FindNextFileW (in: hFindFile=0x535b20, lpFindFileData=0x2d8f070 | out: lpFindFileData=0x2d8f070*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xabf60500, ftCreationTime.dwHighDateTime=0x1cac9ae, ftLastAccessTime.dwLowDateTime=0xabf60500, ftLastAccessTime.dwHighDateTime=0x1cac9ae, ftLastWriteTime.dwLowDateTime=0xe85ab8b0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x80760, dwReserved0=0x0, dwReserved1=0x0, cFileName="dwdcw20.dll", cAlternateFileName="")) returned 1 [0038.240] lstrcmpiW (lpString1="dwdcw20.dll", lpString2="Windows") returned -1 [0038.240] lstrcmpiW (lpString1="dwdcw20.dll", lpString2="$Recycle.bin") returned 1 [0038.240] lstrcmpiW (lpString1="dwdcw20.dll", lpString2="System Volume Information") returned -1 [0038.240] lstrcmpiW (lpString1="dwdcw20.dll", lpString2="Program Files") returned -1 [0038.240] lstrcmpiW (lpString1="dwdcw20.dll", lpString2="Program Files (x86)") returned -1 [0038.240] wnsprintfW (in: pszDest=0x5354c0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwdcw20.dll") returned 78 [0038.240] StrStrIW (lpFirst="dwdcw20.dll", lpSrch=".for") returned 0x0 [0038.240] lstrcmpW (lpString1="dwdcw20.dll", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0038.240] lstrcmpW (lpString1="dwdcw20.dll", lpString2="taridd") returned -1 [0038.240] StrCmpNW (lpStr1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwdcw20.dll", lpStr2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\3pRMMVYZl7L6YCH05Qf1aBB2Nvhrv3", nChar=122) returned -1 [0038.240] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwdcw20.dll" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\dwdcw20.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x208 [0038.241] GetTickCount () returned 0x11440f7 [0038.241] GetTickCount () returned 0x11440f7 [0038.241] GetTickCount () returned 0x11440f7 [0038.241] GetTickCount () returned 0x11440f7 [0038.241] CryptEncrypt (in: hKey=0x4ff5a8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d8ef80*, pdwDataLen=0x2d8f030*=0x2c, dwBufLen=0x80 | out: pbData=0x2d8ef80*, pdwDataLen=0x2d8f030*=0x80) returned 1 [0038.241] GetProcessHeap () returned 0x4e0000 [0038.241] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x2800) returned 0x5064d8 [0038.241] ReadFile (in: hFile=0x208, lpBuffer=0x5064d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x5064d8*, lpNumberOfBytesRead=0x2d8f034*=0x2800, lpOverlapped=0x0) returned 1 [0038.243] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0038.243] WriteFile (in: hFile=0x208, lpBuffer=0x5064d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x5064d8*, lpNumberOfBytesWritten=0x2d8f034*=0x2800, lpOverlapped=0x0) returned 1 [0038.243] GetProcessHeap () returned 0x4e0000 [0038.243] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x5064d8 | out: hHeap=0x4e0000) returned 1 [0038.243] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0038.243] WriteFile (in: hFile=0x208, lpBuffer=0x4ffe10*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x4ffe10*, lpNumberOfBytesWritten=0x2d8f034*=0x300, lpOverlapped=0x0) returned 1 [0038.245] WriteFile (in: hFile=0x208, lpBuffer=0x2d8ef80*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x2d8ef80*, lpNumberOfBytesWritten=0x2d8f034*=0x80, lpOverlapped=0x0) returned 1 [0038.245] WriteFile (in: hFile=0x208, lpBuffer=0x186230*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x186230*, lpNumberOfBytesWritten=0x2d8f034*=0x4, lpOverlapped=0x0) returned 1 [0038.245] CloseHandle (hObject=0x208) returned 1 [0038.245] GetProcessHeap () returned 0x4e0000 [0038.245] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x400) returned 0x5306d0 [0038.245] wnsprintfW (in: pszDest=0x5306d0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwdcw20.dll_forv_{KNUJ5K}.for") returned 96 [0038.246] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwdcw20.dll" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\dwdcw20.dll"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwdcw20.dll_forv_{KNUJ5K}.for" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\dwdcw20.dll_forv_{knuj5k}.for")) returned 1 [0038.246] GetProcessHeap () returned 0x4e0000 [0038.246] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x5306d0 | out: hHeap=0x4e0000) returned 1 [0038.246] FindNextFileW (in: hFindFile=0x535b20, lpFindFileData=0x2d8f070 | out: lpFindFileData=0x2d8f070*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xabf60500, ftCreationTime.dwHighDateTime=0x1cac9ae, ftLastAccessTime.dwLowDateTime=0xabf60500, ftLastAccessTime.dwHighDateTime=0x1cac9ae, ftLastWriteTime.dwLowDateTime=0xe85f73a0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x7eda0, dwReserved0=0x0, dwReserved1=0x0, cFileName="dwtrig20.exe", cAlternateFileName="")) returned 1 [0038.246] lstrcmpiW (lpString1="dwtrig20.exe", lpString2="Windows") returned -1 [0038.246] lstrcmpiW (lpString1="dwtrig20.exe", lpString2="$Recycle.bin") returned 1 [0038.246] lstrcmpiW (lpString1="dwtrig20.exe", lpString2="System Volume Information") returned -1 [0038.246] lstrcmpiW (lpString1="dwtrig20.exe", lpString2="Program Files") returned -1 [0038.246] lstrcmpiW (lpString1="dwtrig20.exe", lpString2="Program Files (x86)") returned -1 [0038.246] wnsprintfW (in: pszDest=0x5354c0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwtrig20.exe") returned 79 [0038.246] StrStrIW (lpFirst="dwtrig20.exe", lpSrch=".for") returned 0x0 [0038.246] lstrcmpW (lpString1="dwtrig20.exe", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0038.246] lstrcmpW (lpString1="dwtrig20.exe", lpString2="taridd") returned -1 [0038.246] StrCmpNW (lpStr1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwtrig20.exe", lpStr2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\3pRMMVYZl7L6YCH05Qf1aBB2Nvhrv3", nChar=122) returned -1 [0038.246] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwtrig20.exe" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\dwtrig20.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x208 [0038.246] GetTickCount () returned 0x11440f7 [0038.247] GetTickCount () returned 0x11440f7 [0038.247] GetTickCount () returned 0x11440f7 [0038.247] GetTickCount () returned 0x11440f7 [0038.247] CryptEncrypt (in: hKey=0x4ff5a8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d8ef80*, pdwDataLen=0x2d8f030*=0x2c, dwBufLen=0x80 | out: pbData=0x2d8ef80*, pdwDataLen=0x2d8f030*=0x80) returned 1 [0038.247] GetProcessHeap () returned 0x4e0000 [0038.247] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x2800) returned 0x5064d8 [0038.247] ReadFile (in: hFile=0x208, lpBuffer=0x5064d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x5064d8*, lpNumberOfBytesRead=0x2d8f034*=0x2800, lpOverlapped=0x0) returned 1 [0038.254] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0038.254] WriteFile (in: hFile=0x208, lpBuffer=0x5064d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x5064d8*, lpNumberOfBytesWritten=0x2d8f034*=0x2800, lpOverlapped=0x0) returned 1 [0038.254] GetProcessHeap () returned 0x4e0000 [0038.254] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x5064d8 | out: hHeap=0x4e0000) returned 1 [0038.254] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0038.254] WriteFile (in: hFile=0x208, lpBuffer=0x4ffe10*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x4ffe10*, lpNumberOfBytesWritten=0x2d8f034*=0x300, lpOverlapped=0x0) returned 1 [0038.257] WriteFile (in: hFile=0x208, lpBuffer=0x2d8ef80*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x2d8ef80*, lpNumberOfBytesWritten=0x2d8f034*=0x80, lpOverlapped=0x0) returned 1 [0038.257] WriteFile (in: hFile=0x208, lpBuffer=0x186230*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x186230*, lpNumberOfBytesWritten=0x2d8f034*=0x4, lpOverlapped=0x0) returned 1 [0038.257] CloseHandle (hObject=0x208) returned 1 [0038.257] GetProcessHeap () returned 0x4e0000 [0038.257] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x400) returned 0x5306d0 [0038.257] wnsprintfW (in: pszDest=0x5306d0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwtrig20.exe_forv_{KNUJ5K}.for") returned 97 [0038.257] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwtrig20.exe" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\dwtrig20.exe"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwtrig20.exe_forv_{KNUJ5K}.for" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\dwtrig20.exe_forv_{knuj5k}.for")) returned 1 [0038.258] GetProcessHeap () returned 0x4e0000 [0038.258] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x5306d0 | out: hHeap=0x4e0000) returned 1 [0038.258] FindNextFileW (in: hFindFile=0x535b20, lpFindFileData=0x2d8f070 | out: lpFindFileData=0x2d8f070*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x8d646800, ftCreationTime.dwHighDateTime=0x1cacc53, ftLastAccessTime.dwLowDateTime=0x8d646800, ftLastAccessTime.dwHighDateTime=0x1cacc53, ftLastWriteTime.dwLowDateTime=0xe8728670, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x741, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.VC90.CRT.manifest", cAlternateFileName="MICROS~1.MAN")) returned 1 [0038.258] lstrcmpiW (lpString1="Microsoft.VC90.CRT.manifest", lpString2="Windows") returned -1 [0038.258] lstrcmpiW (lpString1="Microsoft.VC90.CRT.manifest", lpString2="$Recycle.bin") returned 1 [0038.258] lstrcmpiW (lpString1="Microsoft.VC90.CRT.manifest", lpString2="System Volume Information") returned -1 [0038.258] lstrcmpiW (lpString1="Microsoft.VC90.CRT.manifest", lpString2="Program Files") returned -1 [0038.258] lstrcmpiW (lpString1="Microsoft.VC90.CRT.manifest", lpString2="Program Files (x86)") returned -1 [0038.258] wnsprintfW (in: pszDest=0x5354c0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Microsoft.VC90.CRT.manifest") returned 94 [0038.258] StrStrIW (lpFirst="Microsoft.VC90.CRT.manifest", lpSrch=".for") returned 0x0 [0038.258] lstrcmpW (lpString1="Microsoft.VC90.CRT.manifest", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0038.258] lstrcmpW (lpString1="Microsoft.VC90.CRT.manifest", lpString2="taridd") returned -1 [0038.258] StrCmpNW (lpStr1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Microsoft.VC90.CRT.manifest", lpStr2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\3pRMMVYZl7L6YCH05Qf1aBB2Nvhrv3", nChar=122) returned -1 [0038.258] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Microsoft.VC90.CRT.manifest" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\microsoft.vc90.crt.manifest"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x208 [0038.259] GetTickCount () returned 0x1144107 [0038.259] GetTickCount () returned 0x1144107 [0038.259] GetTickCount () returned 0x1144107 [0038.259] GetTickCount () returned 0x1144107 [0038.259] CryptEncrypt (in: hKey=0x4ff5a8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d8ef80*, pdwDataLen=0x2d8f030*=0x2c, dwBufLen=0x80 | out: pbData=0x2d8ef80*, pdwDataLen=0x2d8f030*=0x80) returned 1 [0038.259] GetProcessHeap () returned 0x4e0000 [0038.259] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x2800) returned 0x5064d8 [0038.259] ReadFile (in: hFile=0x208, lpBuffer=0x5064d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x5064d8*, lpNumberOfBytesRead=0x2d8f034*=0x741, lpOverlapped=0x0) returned 1 [0038.260] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0xfffff8bf, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0038.261] WriteFile (in: hFile=0x208, lpBuffer=0x5064d8*, nNumberOfBytesToWrite=0x741, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x5064d8*, lpNumberOfBytesWritten=0x2d8f034*=0x741, lpOverlapped=0x0) returned 1 [0038.261] GetProcessHeap () returned 0x4e0000 [0038.261] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x5064d8 | out: hHeap=0x4e0000) returned 1 [0038.261] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0038.261] WriteFile (in: hFile=0x208, lpBuffer=0x4ffe10*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x4ffe10*, lpNumberOfBytesWritten=0x2d8f034*=0x300, lpOverlapped=0x0) returned 1 [0038.261] WriteFile (in: hFile=0x208, lpBuffer=0x2d8ef80*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x2d8ef80*, lpNumberOfBytesWritten=0x2d8f034*=0x80, lpOverlapped=0x0) returned 1 [0038.261] WriteFile (in: hFile=0x208, lpBuffer=0x186230*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x186230*, lpNumberOfBytesWritten=0x2d8f034*=0x4, lpOverlapped=0x0) returned 1 [0038.261] CloseHandle (hObject=0x208) returned 1 [0038.261] GetProcessHeap () returned 0x4e0000 [0038.261] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x400) returned 0x5306d0 [0038.261] wnsprintfW (in: pszDest=0x5306d0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Microsoft.VC90.CRT.manifest_forv_{KNUJ5K}.for") returned 112 [0038.261] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Microsoft.VC90.CRT.manifest" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\microsoft.vc90.crt.manifest"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Microsoft.VC90.CRT.manifest_forv_{KNUJ5K}.for" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\microsoft.vc90.crt.manifest_forv_{knuj5k}.for")) returned 1 [0038.262] GetProcessHeap () returned 0x4e0000 [0038.262] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x5306d0 | out: hHeap=0x4e0000) returned 1 [0038.262] FindNextFileW (in: hFindFile=0x535b20, lpFindFileData=0x2d8f070 | out: lpFindFileData=0x2d8f070*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x8c333b00, ftCreationTime.dwHighDateTime=0x1cacc53, ftLastAccessTime.dwLowDateTime=0x8c333b00, ftLastAccessTime.dwHighDateTime=0x1cacc53, ftLastWriteTime.dwLowDateTime=0xe86b5a80, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0xa0200, dwReserved0=0x0, dwReserved1=0x0, cFileName="msvcr90.dll", cAlternateFileName="")) returned 1 [0038.262] lstrcmpiW (lpString1="msvcr90.dll", lpString2="Windows") returned -1 [0038.262] lstrcmpiW (lpString1="msvcr90.dll", lpString2="$Recycle.bin") returned 1 [0038.262] lstrcmpiW (lpString1="msvcr90.dll", lpString2="System Volume Information") returned -1 [0038.262] lstrcmpiW (lpString1="msvcr90.dll", lpString2="Program Files") returned -1 [0038.262] lstrcmpiW (lpString1="msvcr90.dll", lpString2="Program Files (x86)") returned -1 [0038.262] wnsprintfW (in: pszDest=0x5354c0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\msvcr90.dll") returned 78 [0038.262] StrStrIW (lpFirst="msvcr90.dll", lpSrch=".for") returned 0x0 [0038.262] lstrcmpW (lpString1="msvcr90.dll", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0038.262] lstrcmpW (lpString1="msvcr90.dll", lpString2="taridd") returned -1 [0038.262] StrCmpNW (lpStr1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\msvcr90.dll", lpStr2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\3pRMMVYZl7L6YCH05Qf1aBB2Nvhrv3", nChar=122) returned -1 [0038.262] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\msvcr90.dll" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\msvcr90.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x208 [0038.262] GetTickCount () returned 0x1144107 [0038.262] GetTickCount () returned 0x1144107 [0038.262] GetTickCount () returned 0x1144107 [0038.262] GetTickCount () returned 0x1144107 [0038.262] CryptEncrypt (in: hKey=0x4ff5a8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d8ef80*, pdwDataLen=0x2d8f030*=0x2c, dwBufLen=0x80 | out: pbData=0x2d8ef80*, pdwDataLen=0x2d8f030*=0x80) returned 1 [0038.263] GetProcessHeap () returned 0x4e0000 [0038.263] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x2800) returned 0x5064d8 [0038.263] ReadFile (in: hFile=0x208, lpBuffer=0x5064d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x5064d8*, lpNumberOfBytesRead=0x2d8f034*=0x2800, lpOverlapped=0x0) returned 1 [0038.264] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0038.265] WriteFile (in: hFile=0x208, lpBuffer=0x5064d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x5064d8*, lpNumberOfBytesWritten=0x2d8f034*=0x2800, lpOverlapped=0x0) returned 1 [0038.265] GetProcessHeap () returned 0x4e0000 [0038.265] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x5064d8 | out: hHeap=0x4e0000) returned 1 [0038.265] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0038.265] WriteFile (in: hFile=0x208, lpBuffer=0x4ffe10*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x4ffe10*, lpNumberOfBytesWritten=0x2d8f034*=0x300, lpOverlapped=0x0) returned 1 [0038.314] WriteFile (in: hFile=0x208, lpBuffer=0x2d8ef80*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x2d8ef80*, lpNumberOfBytesWritten=0x2d8f034*=0x80, lpOverlapped=0x0) returned 1 [0038.314] WriteFile (in: hFile=0x208, lpBuffer=0x186230*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x186230*, lpNumberOfBytesWritten=0x2d8f034*=0x4, lpOverlapped=0x0) returned 1 [0038.315] CloseHandle (hObject=0x208) returned 1 [0038.315] GetProcessHeap () returned 0x4e0000 [0038.315] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x400) returned 0x5306d0 [0038.315] wnsprintfW (in: pszDest=0x5306d0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\msvcr90.dll_forv_{KNUJ5K}.for") returned 96 [0038.315] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\msvcr90.dll" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\msvcr90.dll"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\msvcr90.dll_forv_{KNUJ5K}.for" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\msvcr90.dll_forv_{knuj5k}.for")) returned 1 [0038.316] GetProcessHeap () returned 0x4e0000 [0038.316] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x5306d0 | out: hHeap=0x4e0000) returned 1 [0038.316] FindNextFileW (in: hFindFile=0x535b20, lpFindFileData=0x2d8f070 | out: lpFindFileData=0x2d8f070*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x3ba05100, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x3ba05100, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xe7e3b3f0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0xd79282, dwReserved0=0x0, dwReserved1=0x0, cFileName="OfficeLR.cab", cAlternateFileName="")) returned 1 [0038.316] lstrcmpiW (lpString1="OfficeLR.cab", lpString2="Windows") returned -1 [0038.316] lstrcmpiW (lpString1="OfficeLR.cab", lpString2="$Recycle.bin") returned 1 [0038.316] lstrcmpiW (lpString1="OfficeLR.cab", lpString2="System Volume Information") returned -1 [0038.316] lstrcmpiW (lpString1="OfficeLR.cab", lpString2="Program Files") returned -1 [0038.316] lstrcmpiW (lpString1="OfficeLR.cab", lpString2="Program Files (x86)") returned -1 [0038.316] wnsprintfW (in: pszDest=0x5354c0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeLR.cab") returned 79 [0038.316] StrStrIW (lpFirst="OfficeLR.cab", lpSrch=".for") returned 0x0 [0038.316] lstrcmpW (lpString1="OfficeLR.cab", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0038.316] lstrcmpW (lpString1="OfficeLR.cab", lpString2="taridd") returned -1 [0038.316] StrCmpNW (lpStr1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeLR.cab", lpStr2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\3pRMMVYZl7L6YCH05Qf1aBB2Nvhrv3", nChar=122) returned -1 [0038.316] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officelr.cab"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x208 [0038.317] GetTickCount () returned 0x1144145 [0038.317] GetTickCount () returned 0x1144145 [0038.317] GetTickCount () returned 0x1144145 [0038.317] GetTickCount () returned 0x1144145 [0038.317] CryptEncrypt (in: hKey=0x4ff5a8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d8ef80*, pdwDataLen=0x2d8f030*=0x2c, dwBufLen=0x80 | out: pbData=0x2d8ef80*, pdwDataLen=0x2d8f030*=0x80) returned 1 [0038.317] GetProcessHeap () returned 0x4e0000 [0038.317] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x2800) returned 0x5064d8 [0038.317] ReadFile (in: hFile=0x208, lpBuffer=0x5064d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x5064d8*, lpNumberOfBytesRead=0x2d8f034*=0x2800, lpOverlapped=0x0) returned 1 [0038.319] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0038.319] WriteFile (in: hFile=0x208, lpBuffer=0x5064d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x5064d8*, lpNumberOfBytesWritten=0x2d8f034*=0x2800, lpOverlapped=0x0) returned 1 [0038.319] GetProcessHeap () returned 0x4e0000 [0038.319] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x5064d8 | out: hHeap=0x4e0000) returned 1 [0038.319] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0038.320] WriteFile (in: hFile=0x208, lpBuffer=0x4ffe10*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x4ffe10*, lpNumberOfBytesWritten=0x2d8f034*=0x300, lpOverlapped=0x0) returned 1 [0038.322] WriteFile (in: hFile=0x208, lpBuffer=0x2d8ef80*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x2d8ef80*, lpNumberOfBytesWritten=0x2d8f034*=0x80, lpOverlapped=0x0) returned 1 [0038.322] WriteFile (in: hFile=0x208, lpBuffer=0x186230*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x186230*, lpNumberOfBytesWritten=0x2d8f034*=0x4, lpOverlapped=0x0) returned 1 [0038.322] CloseHandle (hObject=0x208) returned 1 [0038.323] GetProcessHeap () returned 0x4e0000 [0038.323] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x400) returned 0x5306d0 [0038.323] wnsprintfW (in: pszDest=0x5306d0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeLR.cab_forv_{KNUJ5K}.for") returned 97 [0038.323] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officelr.cab"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeLR.cab_forv_{KNUJ5K}.for" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officelr.cab_forv_{knuj5k}.for")) returned 1 [0038.323] GetProcessHeap () returned 0x4e0000 [0038.323] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x5306d0 | out: hHeap=0x4e0000) returned 1 [0038.323] FindNextFileW (in: hFindFile=0x535b20, lpFindFileData=0x2d8f070 | out: lpFindFileData=0x2d8f070*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x3cd17e00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x3cd17e00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xe7c4ba40, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x387e00, dwReserved0=0x0, dwReserved1=0x0, cFileName="OfficeMUI.msi", cAlternateFileName="OFFICE~2.MSI")) returned 1 [0038.323] lstrcmpiW (lpString1="OfficeMUI.msi", lpString2="Windows") returned -1 [0038.323] lstrcmpiW (lpString1="OfficeMUI.msi", lpString2="$Recycle.bin") returned 1 [0038.323] lstrcmpiW (lpString1="OfficeMUI.msi", lpString2="System Volume Information") returned -1 [0038.323] lstrcmpiW (lpString1="OfficeMUI.msi", lpString2="Program Files") returned -1 [0038.323] lstrcmpiW (lpString1="OfficeMUI.msi", lpString2="Program Files (x86)") returned -1 [0038.323] wnsprintfW (in: pszDest=0x5354c0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.msi") returned 80 [0038.323] StrStrIW (lpFirst="OfficeMUI.msi", lpSrch=".for") returned 0x0 [0038.323] lstrcmpW (lpString1="OfficeMUI.msi", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0038.323] lstrcmpW (lpString1="OfficeMUI.msi", lpString2="taridd") returned -1 [0038.324] StrCmpNW (lpStr1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.msi", lpStr2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\3pRMMVYZl7L6YCH05Qf1aBB2Nvhrv3", nChar=122) returned -1 [0038.324] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officemui.msi"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x208 [0038.324] GetTickCount () returned 0x1144145 [0038.324] GetTickCount () returned 0x1144145 [0038.324] GetTickCount () returned 0x1144145 [0038.324] GetTickCount () returned 0x1144145 [0038.324] CryptEncrypt (in: hKey=0x4ff5a8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d8ef80*, pdwDataLen=0x2d8f030*=0x2c, dwBufLen=0x80 | out: pbData=0x2d8ef80*, pdwDataLen=0x2d8f030*=0x80) returned 1 [0038.324] GetProcessHeap () returned 0x4e0000 [0038.324] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x2800) returned 0x5064d8 [0038.324] ReadFile (in: hFile=0x208, lpBuffer=0x5064d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x5064d8*, lpNumberOfBytesRead=0x2d8f034*=0x2800, lpOverlapped=0x0) returned 1 [0038.326] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0038.326] WriteFile (in: hFile=0x208, lpBuffer=0x5064d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x5064d8*, lpNumberOfBytesWritten=0x2d8f034*=0x2800, lpOverlapped=0x0) returned 1 [0038.326] GetProcessHeap () returned 0x4e0000 [0038.326] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x5064d8 | out: hHeap=0x4e0000) returned 1 [0038.326] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0038.326] WriteFile (in: hFile=0x208, lpBuffer=0x4ffe10*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x4ffe10*, lpNumberOfBytesWritten=0x2d8f034*=0x300, lpOverlapped=0x0) returned 1 [0038.328] WriteFile (in: hFile=0x208, lpBuffer=0x2d8ef80*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x2d8ef80*, lpNumberOfBytesWritten=0x2d8f034*=0x80, lpOverlapped=0x0) returned 1 [0038.328] WriteFile (in: hFile=0x208, lpBuffer=0x186230*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x186230*, lpNumberOfBytesWritten=0x2d8f034*=0x4, lpOverlapped=0x0) returned 1 [0038.329] CloseHandle (hObject=0x208) returned 1 [0038.329] GetProcessHeap () returned 0x4e0000 [0038.329] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x400) returned 0x5306d0 [0038.329] wnsprintfW (in: pszDest=0x5306d0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.msi_forv_{KNUJ5K}.for") returned 98 [0038.329] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officemui.msi"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.msi_forv_{KNUJ5K}.for" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officemui.msi_forv_{knuj5k}.for")) returned 1 [0038.329] GetProcessHeap () returned 0x4e0000 [0038.329] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x5306d0 | out: hHeap=0x4e0000) returned 1 [0038.329] FindNextFileW (in: hFindFile=0x535b20, lpFindFileData=0x2d8f070 | out: lpFindFileData=0x2d8f070*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x43f88c00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x43f88c00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xe7c27050, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x15b5, dwReserved0=0x0, dwReserved1=0x0, cFileName="OfficeMUI.xml", cAlternateFileName="OFFICE~2.XML")) returned 1 [0038.329] lstrcmpiW (lpString1="OfficeMUI.xml", lpString2="Windows") returned -1 [0038.329] lstrcmpiW (lpString1="OfficeMUI.xml", lpString2="$Recycle.bin") returned 1 [0038.329] lstrcmpiW (lpString1="OfficeMUI.xml", lpString2="System Volume Information") returned -1 [0038.329] lstrcmpiW (lpString1="OfficeMUI.xml", lpString2="Program Files") returned -1 [0038.329] lstrcmpiW (lpString1="OfficeMUI.xml", lpString2="Program Files (x86)") returned -1 [0038.330] wnsprintfW (in: pszDest=0x5354c0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.xml") returned 80 [0038.330] StrStrIW (lpFirst="OfficeMUI.xml", lpSrch=".for") returned 0x0 [0038.330] lstrcmpW (lpString1="OfficeMUI.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0038.330] lstrcmpW (lpString1="OfficeMUI.xml", lpString2="taridd") returned -1 [0038.330] StrCmpNW (lpStr1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.xml", lpStr2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\3pRMMVYZl7L6YCH05Qf1aBB2Nvhrv3", nChar=122) returned -1 [0038.330] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officemui.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x208 [0038.330] GetTickCount () returned 0x1144155 [0038.330] GetTickCount () returned 0x1144155 [0038.330] GetTickCount () returned 0x1144155 [0038.330] GetTickCount () returned 0x1144155 [0038.330] CryptEncrypt (in: hKey=0x4ff5a8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d8ef80*, pdwDataLen=0x2d8f030*=0x2c, dwBufLen=0x80 | out: pbData=0x2d8ef80*, pdwDataLen=0x2d8f030*=0x80) returned 1 [0038.330] GetProcessHeap () returned 0x4e0000 [0038.330] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x2800) returned 0x5064d8 [0038.330] ReadFile (in: hFile=0x208, lpBuffer=0x5064d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x5064d8*, lpNumberOfBytesRead=0x2d8f034*=0x15b5, lpOverlapped=0x0) returned 1 [0038.331] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0xffffea4b, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0038.332] WriteFile (in: hFile=0x208, lpBuffer=0x5064d8*, nNumberOfBytesToWrite=0x15b5, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x5064d8*, lpNumberOfBytesWritten=0x2d8f034*=0x15b5, lpOverlapped=0x0) returned 1 [0038.332] GetProcessHeap () returned 0x4e0000 [0038.332] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x5064d8 | out: hHeap=0x4e0000) returned 1 [0038.332] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0038.332] WriteFile (in: hFile=0x208, lpBuffer=0x4ffe10*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x4ffe10*, lpNumberOfBytesWritten=0x2d8f034*=0x300, lpOverlapped=0x0) returned 1 [0038.332] WriteFile (in: hFile=0x208, lpBuffer=0x2d8ef80*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x2d8ef80*, lpNumberOfBytesWritten=0x2d8f034*=0x80, lpOverlapped=0x0) returned 1 [0038.332] WriteFile (in: hFile=0x208, lpBuffer=0x186230*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x186230*, lpNumberOfBytesWritten=0x2d8f034*=0x4, lpOverlapped=0x0) returned 1 [0038.332] CloseHandle (hObject=0x208) returned 1 [0038.332] GetProcessHeap () returned 0x4e0000 [0038.332] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x400) returned 0x5306d0 [0038.332] wnsprintfW (in: pszDest=0x5306d0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.xml_forv_{KNUJ5K}.for") returned 98 [0038.332] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officemui.xml"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.xml_forv_{KNUJ5K}.for" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officemui.xml_forv_{knuj5k}.for")) returned 1 [0038.333] GetProcessHeap () returned 0x4e0000 [0038.333] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x5306d0 | out: hHeap=0x4e0000) returned 1 [0038.333] FindNextFileW (in: hFindFile=0x535b20, lpFindFileData=0x2d8f070 | out: lpFindFileData=0x2d8f070*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x3f33d800, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x3f33d800, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xe7b68970, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0xd4200, dwReserved0=0x0, dwReserved1=0x0, cFileName="OfficeMUISet.msi", cAlternateFileName="OFFICE~1.MSI")) returned 1 [0038.333] lstrcmpiW (lpString1="OfficeMUISet.msi", lpString2="Windows") returned -1 [0038.333] lstrcmpiW (lpString1="OfficeMUISet.msi", lpString2="$Recycle.bin") returned 1 [0038.333] lstrcmpiW (lpString1="OfficeMUISet.msi", lpString2="System Volume Information") returned -1 [0038.333] lstrcmpiW (lpString1="OfficeMUISet.msi", lpString2="Program Files") returned -1 [0038.333] lstrcmpiW (lpString1="OfficeMUISet.msi", lpString2="Program Files (x86)") returned -1 [0038.333] wnsprintfW (in: pszDest=0x5354c0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.msi") returned 83 [0038.333] StrStrIW (lpFirst="OfficeMUISet.msi", lpSrch=".for") returned 0x0 [0038.333] lstrcmpW (lpString1="OfficeMUISet.msi", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0038.333] lstrcmpW (lpString1="OfficeMUISet.msi", lpString2="taridd") returned -1 [0038.333] StrCmpNW (lpStr1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.msi", lpStr2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\3pRMMVYZl7L6YCH05Qf1aBB2Nvhrv3", nChar=122) returned -1 [0038.333] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.msi" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officemuiset.msi"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x208 [0038.333] GetTickCount () returned 0x1144155 [0038.333] GetTickCount () returned 0x1144155 [0038.333] GetTickCount () returned 0x1144155 [0038.333] GetTickCount () returned 0x1144155 [0038.333] CryptEncrypt (in: hKey=0x4ff5a8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d8ef80*, pdwDataLen=0x2d8f030*=0x2c, dwBufLen=0x80 | out: pbData=0x2d8ef80*, pdwDataLen=0x2d8f030*=0x80) returned 1 [0038.333] GetProcessHeap () returned 0x4e0000 [0038.333] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x2800) returned 0x5064d8 [0038.333] ReadFile (in: hFile=0x208, lpBuffer=0x5064d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x5064d8*, lpNumberOfBytesRead=0x2d8f034*=0x2800, lpOverlapped=0x0) returned 1 [0038.352] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0038.352] WriteFile (in: hFile=0x208, lpBuffer=0x5064d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x5064d8*, lpNumberOfBytesWritten=0x2d8f034*=0x2800, lpOverlapped=0x0) returned 1 [0038.352] GetProcessHeap () returned 0x4e0000 [0038.352] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x5064d8 | out: hHeap=0x4e0000) returned 1 [0038.352] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0038.352] WriteFile (in: hFile=0x208, lpBuffer=0x4ffe10*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x4ffe10*, lpNumberOfBytesWritten=0x2d8f034*=0x300, lpOverlapped=0x0) returned 1 [0038.505] WriteFile (in: hFile=0x208, lpBuffer=0x2d8ef80*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x2d8ef80*, lpNumberOfBytesWritten=0x2d8f034*=0x80, lpOverlapped=0x0) returned 1 [0038.507] WriteFile (in: hFile=0x208, lpBuffer=0x186230*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x186230*, lpNumberOfBytesWritten=0x2d8f034*=0x4, lpOverlapped=0x0) returned 1 [0038.509] CloseHandle (hObject=0x208) returned 1 [0038.513] GetProcessHeap () returned 0x4e0000 [0038.514] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x400) returned 0x5306d0 [0038.516] wnsprintfW (in: pszDest=0x5306d0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.msi_forv_{KNUJ5K}.for") returned 101 [0038.526] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.msi" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officemuiset.msi"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.msi_forv_{KNUJ5K}.for" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officemuiset.msi_forv_{knuj5k}.for")) returned 1 [0038.542] GetProcessHeap () returned 0x4e0000 [0038.542] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x5306d0 | out: hHeap=0x4e0000) returned 1 [0038.543] FindNextFileW (in: hFindFile=0x535b20, lpFindFileData=0x2d8f070 | out: lpFindFileData=0x2d8f070*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x4529b900, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x4529b900, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xe7b68970, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x333, dwReserved0=0x0, dwReserved1=0x0, cFileName="OfficeMUISet.xml", cAlternateFileName="OFFICE~1.XML")) returned 1 [0038.544] lstrcmpiW (lpString1="OfficeMUISet.xml", lpString2="Windows") returned -1 [0038.545] lstrcmpiW (lpString1="OfficeMUISet.xml", lpString2="$Recycle.bin") returned 1 [0038.546] lstrcmpiW (lpString1="OfficeMUISet.xml", lpString2="System Volume Information") returned -1 [0038.548] lstrcmpiW (lpString1="OfficeMUISet.xml", lpString2="Program Files") returned -1 [0038.549] lstrcmpiW (lpString1="OfficeMUISet.xml", lpString2="Program Files (x86)") returned -1 [0038.549] wnsprintfW (in: pszDest=0x5354c0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.xml") returned 83 [0038.552] StrStrIW (lpFirst="OfficeMUISet.xml", lpSrch=".for") returned 0x0 [0038.562] lstrcmpW (lpString1="OfficeMUISet.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0038.562] lstrcmpW (lpString1="OfficeMUISet.xml", lpString2="taridd") returned -1 [0038.564] StrCmpNW (lpStr1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.xml", lpStr2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\3pRMMVYZl7L6YCH05Qf1aBB2Nvhrv3", nChar=122) returned -1 [0038.565] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.xml" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officemuiset.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x208 [0038.569] GetTickCount () returned 0x114423f [0038.570] GetTickCount () returned 0x114423f [0038.571] GetTickCount () returned 0x114423f [0038.571] GetTickCount () returned 0x114423f [0038.573] CryptEncrypt (in: hKey=0x4ff5a8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d8ef80*, pdwDataLen=0x2d8f030*=0x2c, dwBufLen=0x80 | out: pbData=0x2d8ef80*, pdwDataLen=0x2d8f030*=0x80) returned 1 [0038.576] GetProcessHeap () returned 0x4e0000 [0038.576] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x2800) returned 0x5064d8 [0038.578] ReadFile (in: hFile=0x208, lpBuffer=0x5064d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x5064d8*, lpNumberOfBytesRead=0x2d8f034*=0x333, lpOverlapped=0x0) returned 1 [0038.594] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0xfffffccd, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0038.597] WriteFile (in: hFile=0x208, lpBuffer=0x5064d8*, nNumberOfBytesToWrite=0x333, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x5064d8*, lpNumberOfBytesWritten=0x2d8f034*=0x333, lpOverlapped=0x0) returned 1 [0038.599] GetProcessHeap () returned 0x4e0000 [0038.599] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x5064d8 | out: hHeap=0x4e0000) returned 1 [0038.600] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0038.601] WriteFile (in: hFile=0x208, lpBuffer=0x4ffe10*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x4ffe10*, lpNumberOfBytesWritten=0x2d8f034*=0x300, lpOverlapped=0x0) returned 1 [0038.603] WriteFile (in: hFile=0x208, lpBuffer=0x2d8ef80*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x2d8ef80*, lpNumberOfBytesWritten=0x2d8f034*=0x80, lpOverlapped=0x0) returned 1 [0038.605] WriteFile (in: hFile=0x208, lpBuffer=0x186230*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x186230*, lpNumberOfBytesWritten=0x2d8f034*=0x4, lpOverlapped=0x0) returned 1 [0038.606] CloseHandle (hObject=0x208) returned 1 [0038.610] GetProcessHeap () returned 0x4e0000 [0038.610] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x400) returned 0x5306d0 [0038.612] wnsprintfW (in: pszDest=0x5306d0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.xml_forv_{KNUJ5K}.for") returned 101 [0038.614] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.xml" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officemuiset.xml"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.xml_forv_{KNUJ5K}.for" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officemuiset.xml_forv_{knuj5k}.for")) returned 1 [0038.627] GetProcessHeap () returned 0x4e0000 [0038.627] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x5306d0 | out: hHeap=0x4e0000) returned 1 [0038.627] FindNextFileW (in: hFindFile=0x535b20, lpFindFileData=0x2d8f070 | out: lpFindFileData=0x2d8f070*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xc8b16200, ftCreationTime.dwHighDateTime=0x1cac190, ftLastAccessTime.dwLowDateTime=0xc8b16200, ftLastAccessTime.dwHighDateTime=0x1cac190, ftLastWriteTime.dwLowDateTime=0xe8728670, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x2ed80, dwReserved0=0x0, dwReserved1=0x0, cFileName="osetupui.dll", cAlternateFileName="")) returned 1 [0038.628] lstrcmpiW (lpString1="osetupui.dll", lpString2="Windows") returned -1 [0038.629] lstrcmpiW (lpString1="osetupui.dll", lpString2="$Recycle.bin") returned 1 [0038.629] lstrcmpiW (lpString1="osetupui.dll", lpString2="System Volume Information") returned -1 [0038.630] lstrcmpiW (lpString1="osetupui.dll", lpString2="Program Files") returned -1 [0038.631] lstrcmpiW (lpString1="osetupui.dll", lpString2="Program Files (x86)") returned -1 [0038.632] wnsprintfW (in: pszDest=0x5354c0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\osetupui.dll") returned 79 [0038.632] StrStrIW (lpFirst="osetupui.dll", lpSrch=".for") returned 0x0 [0038.634] lstrcmpW (lpString1="osetupui.dll", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0038.634] lstrcmpW (lpString1="osetupui.dll", lpString2="taridd") returned -1 [0038.634] StrCmpNW (lpStr1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\osetupui.dll", lpStr2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\3pRMMVYZl7L6YCH05Qf1aBB2Nvhrv3", nChar=122) returned -1 [0038.636] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\osetupui.dll" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\osetupui.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x208 [0038.639] GetTickCount () returned 0x114427d [0038.640] GetTickCount () returned 0x114428d [0038.641] GetTickCount () returned 0x114428d [0038.641] GetTickCount () returned 0x114428d [0038.643] CryptEncrypt (in: hKey=0x4ff5a8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d8ef80*, pdwDataLen=0x2d8f030*=0x2c, dwBufLen=0x80 | out: pbData=0x2d8ef80*, pdwDataLen=0x2d8f030*=0x80) returned 1 [0038.646] GetProcessHeap () returned 0x4e0000 [0038.648] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x2800) returned 0x5064d8 [0038.649] ReadFile (in: hFile=0x208, lpBuffer=0x5064d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x5064d8*, lpNumberOfBytesRead=0x2d8f034*=0x2800, lpOverlapped=0x0) returned 1 [0038.670] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0038.673] WriteFile (in: hFile=0x208, lpBuffer=0x5064d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x5064d8*, lpNumberOfBytesWritten=0x2d8f034*=0x2800, lpOverlapped=0x0) returned 1 [0038.676] GetProcessHeap () returned 0x4e0000 [0038.677] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x5064d8 | out: hHeap=0x4e0000) returned 1 [0038.677] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0038.679] WriteFile (in: hFile=0x208, lpBuffer=0x4ffe10*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x4ffe10*, lpNumberOfBytesWritten=0x2d8f034*=0x300, lpOverlapped=0x0) returned 1 [0038.793] WriteFile (in: hFile=0x208, lpBuffer=0x2d8ef80*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x2d8ef80*, lpNumberOfBytesWritten=0x2d8f034*=0x80, lpOverlapped=0x0) returned 1 [0038.845] WriteFile (in: hFile=0x208, lpBuffer=0x186230*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x186230*, lpNumberOfBytesWritten=0x2d8f034*=0x4, lpOverlapped=0x0) returned 1 [0039.080] CloseHandle (hObject=0x208) returned 1 [0039.085] GetProcessHeap () returned 0x4e0000 [0039.085] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x400) returned 0x5306d0 [0039.085] wnsprintfW (in: pszDest=0x5306d0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\osetupui.dll_forv_{KNUJ5K}.for") returned 97 [0039.085] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\osetupui.dll" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\osetupui.dll"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\osetupui.dll_forv_{KNUJ5K}.for" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\osetupui.dll_forv_{knuj5k}.for")) returned 1 [0039.094] GetProcessHeap () returned 0x4e0000 [0039.094] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x5306d0 | out: hHeap=0x4e0000) returned 1 [0039.094] FindNextFileW (in: hFindFile=0x535b20, lpFindFileData=0x2d8f070 | out: lpFindFileData=0x2d8f070*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x77cbb000, ftCreationTime.dwHighDateTime=0x1cac57a, ftLastAccessTime.dwLowDateTime=0x77cbb000, ftLastAccessTime.dwHighDateTime=0x1cac57a, ftLastWriteTime.dwLowDateTime=0xe8728670, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x6a3b, dwReserved0=0x0, dwReserved1=0x0, cFileName="pss10r.chm", cAlternateFileName="")) returned 1 [0039.094] lstrcmpiW (lpString1="pss10r.chm", lpString2="Windows") returned -1 [0039.094] lstrcmpiW (lpString1="pss10r.chm", lpString2="$Recycle.bin") returned 1 [0039.094] lstrcmpiW (lpString1="pss10r.chm", lpString2="System Volume Information") returned -1 [0039.094] lstrcmpiW (lpString1="pss10r.chm", lpString2="Program Files") returned 1 [0039.094] lstrcmpiW (lpString1="pss10r.chm", lpString2="Program Files (x86)") returned 1 [0039.094] wnsprintfW (in: pszDest=0x5354c0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\pss10r.chm") returned 77 [0039.094] StrStrIW (lpFirst="pss10r.chm", lpSrch=".for") returned 0x0 [0039.094] lstrcmpW (lpString1="pss10r.chm", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0039.094] lstrcmpW (lpString1="pss10r.chm", lpString2="taridd") returned -1 [0039.094] StrCmpNW (lpStr1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\pss10r.chm", lpStr2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\3pRMMVYZl7L6YCH05Qf1aBB2Nvhrv3", nChar=122) returned -1 [0039.094] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\pss10r.chm" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\pss10r.chm"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x208 [0039.095] GetTickCount () returned 0x1144451 [0039.095] GetTickCount () returned 0x1144451 [0039.095] GetTickCount () returned 0x1144451 [0039.095] GetTickCount () returned 0x1144451 [0039.095] CryptEncrypt (in: hKey=0x4ff5a8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d8ef80*, pdwDataLen=0x2d8f030*=0x2c, dwBufLen=0x80 | out: pbData=0x2d8ef80*, pdwDataLen=0x2d8f030*=0x80) returned 1 [0039.095] GetProcessHeap () returned 0x4e0000 [0039.095] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x2800) returned 0x5064d8 [0039.095] ReadFile (in: hFile=0x208, lpBuffer=0x5064d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x5064d8*, lpNumberOfBytesRead=0x2d8f034*=0x2800, lpOverlapped=0x0) returned 1 [0039.097] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0039.097] WriteFile (in: hFile=0x208, lpBuffer=0x5064d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x5064d8*, lpNumberOfBytesWritten=0x2d8f034*=0x2800, lpOverlapped=0x0) returned 1 [0039.097] GetProcessHeap () returned 0x4e0000 [0039.097] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x5064d8 | out: hHeap=0x4e0000) returned 1 [0039.097] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0039.097] WriteFile (in: hFile=0x208, lpBuffer=0x4ffe10*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x4ffe10*, lpNumberOfBytesWritten=0x2d8f034*=0x300, lpOverlapped=0x0) returned 1 [0039.097] WriteFile (in: hFile=0x208, lpBuffer=0x2d8ef80*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x2d8ef80*, lpNumberOfBytesWritten=0x2d8f034*=0x80, lpOverlapped=0x0) returned 1 [0039.097] WriteFile (in: hFile=0x208, lpBuffer=0x186230*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x186230*, lpNumberOfBytesWritten=0x2d8f034*=0x4, lpOverlapped=0x0) returned 1 [0039.097] CloseHandle (hObject=0x208) returned 1 [0039.097] GetProcessHeap () returned 0x4e0000 [0039.097] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x400) returned 0x5306d0 [0039.098] wnsprintfW (in: pszDest=0x5306d0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\pss10r.chm_forv_{KNUJ5K}.for") returned 95 [0039.098] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\pss10r.chm" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\pss10r.chm"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\pss10r.chm_forv_{KNUJ5K}.for" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\pss10r.chm_forv_{knuj5k}.for")) returned 1 [0039.098] GetProcessHeap () returned 0x4e0000 [0039.098] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x5306d0 | out: hHeap=0x4e0000) returned 1 [0039.098] FindNextFileW (in: hFindFile=0x535b20, lpFindFileData=0x2d8f070 | out: lpFindFileData=0x2d8f070*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x7cab9f00, ftCreationTime.dwHighDateTime=0x1cac8ad, ftLastAccessTime.dwLowDateTime=0x7cab9f00, ftLastAccessTime.dwHighDateTime=0x1cac8ad, ftLastWriteTime.dwLowDateTime=0xe8728670, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x10676, dwReserved0=0x0, dwReserved1=0x0, cFileName="setup.chm", cAlternateFileName="")) returned 1 [0039.098] lstrcmpiW (lpString1="setup.chm", lpString2="Windows") returned -1 [0039.098] lstrcmpiW (lpString1="setup.chm", lpString2="$Recycle.bin") returned 1 [0039.098] lstrcmpiW (lpString1="setup.chm", lpString2="System Volume Information") returned -1 [0039.098] lstrcmpiW (lpString1="setup.chm", lpString2="Program Files") returned 1 [0039.098] lstrcmpiW (lpString1="setup.chm", lpString2="Program Files (x86)") returned 1 [0039.098] wnsprintfW (in: pszDest=0x5354c0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\setup.chm") returned 76 [0039.098] StrStrIW (lpFirst="setup.chm", lpSrch=".for") returned 0x0 [0039.098] lstrcmpW (lpString1="setup.chm", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0039.098] lstrcmpW (lpString1="setup.chm", lpString2="taridd") returned -1 [0039.098] StrCmpNW (lpStr1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\setup.chm", lpStr2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\3pRMMVYZl7L6YCH05Qf1aBB2Nvhrv3", nChar=122) returned -1 [0039.098] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\setup.chm" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\setup.chm"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x208 [0039.099] GetTickCount () returned 0x1144451 [0039.099] GetTickCount () returned 0x1144451 [0039.099] GetTickCount () returned 0x1144451 [0039.099] GetTickCount () returned 0x1144451 [0039.099] CryptEncrypt (in: hKey=0x4ff5a8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d8ef80*, pdwDataLen=0x2d8f030*=0x2c, dwBufLen=0x80 | out: pbData=0x2d8ef80*, pdwDataLen=0x2d8f030*=0x80) returned 1 [0039.099] GetProcessHeap () returned 0x4e0000 [0039.099] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x2800) returned 0x5064d8 [0039.099] ReadFile (in: hFile=0x208, lpBuffer=0x5064d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x5064d8*, lpNumberOfBytesRead=0x2d8f034*=0x2800, lpOverlapped=0x0) returned 1 [0039.101] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0039.101] WriteFile (in: hFile=0x208, lpBuffer=0x5064d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x5064d8*, lpNumberOfBytesWritten=0x2d8f034*=0x2800, lpOverlapped=0x0) returned 1 [0039.101] GetProcessHeap () returned 0x4e0000 [0039.101] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x5064d8 | out: hHeap=0x4e0000) returned 1 [0039.101] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0039.101] WriteFile (in: hFile=0x208, lpBuffer=0x4ffe10*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x4ffe10*, lpNumberOfBytesWritten=0x2d8f034*=0x300, lpOverlapped=0x0) returned 1 [0039.101] WriteFile (in: hFile=0x208, lpBuffer=0x2d8ef80*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x2d8ef80*, lpNumberOfBytesWritten=0x2d8f034*=0x80, lpOverlapped=0x0) returned 1 [0039.101] WriteFile (in: hFile=0x208, lpBuffer=0x186230*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x186230*, lpNumberOfBytesWritten=0x2d8f034*=0x4, lpOverlapped=0x0) returned 1 [0039.101] CloseHandle (hObject=0x208) returned 1 [0039.101] GetProcessHeap () returned 0x4e0000 [0039.101] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x400) returned 0x5306d0 [0039.101] wnsprintfW (in: pszDest=0x5306d0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\setup.chm_forv_{KNUJ5K}.for") returned 94 [0039.102] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\setup.chm" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\setup.chm"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\setup.chm_forv_{KNUJ5K}.for" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\setup.chm_forv_{knuj5k}.for")) returned 1 [0039.102] GetProcessHeap () returned 0x4e0000 [0039.102] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x5306d0 | out: hHeap=0x4e0000) returned 1 [0039.102] FindNextFileW (in: hFindFile=0x535b20, lpFindFileData=0x2d8f070 | out: lpFindFileData=0x2d8f070*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x42c75f00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x42c75f00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xe8728670, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x2488, dwReserved0=0x0, dwReserved1=0x0, cFileName="Setup.xml", cAlternateFileName="")) returned 1 [0039.102] lstrcmpiW (lpString1="Setup.xml", lpString2="Windows") returned -1 [0039.102] lstrcmpiW (lpString1="Setup.xml", lpString2="$Recycle.bin") returned 1 [0039.102] lstrcmpiW (lpString1="Setup.xml", lpString2="System Volume Information") returned -1 [0039.102] lstrcmpiW (lpString1="Setup.xml", lpString2="Program Files") returned 1 [0039.102] lstrcmpiW (lpString1="Setup.xml", lpString2="Program Files (x86)") returned 1 [0039.102] wnsprintfW (in: pszDest=0x5354c0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 76 [0039.102] StrStrIW (lpFirst="Setup.xml", lpSrch=".for") returned 0x0 [0039.102] lstrcmpW (lpString1="Setup.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0039.102] lstrcmpW (lpString1="Setup.xml", lpString2="taridd") returned -1 [0039.102] StrCmpNW (lpStr1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Setup.xml", lpStr2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\3pRMMVYZl7L6YCH05Qf1aBB2Nvhrv3", nChar=122) returned -1 [0039.102] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x208 [0039.102] GetTickCount () returned 0x1144451 [0039.102] GetTickCount () returned 0x1144451 [0039.102] GetTickCount () returned 0x1144451 [0039.102] GetTickCount () returned 0x1144451 [0039.103] CryptEncrypt (in: hKey=0x4ff5a8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d8ef80*, pdwDataLen=0x2d8f030*=0x2c, dwBufLen=0x80 | out: pbData=0x2d8ef80*, pdwDataLen=0x2d8f030*=0x80) returned 1 [0039.103] GetProcessHeap () returned 0x4e0000 [0039.103] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x2800) returned 0x5064d8 [0039.103] ReadFile (in: hFile=0x208, lpBuffer=0x5064d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x5064d8*, lpNumberOfBytesRead=0x2d8f034*=0x2488, lpOverlapped=0x0) returned 1 [0039.108] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0xffffdb78, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0039.108] WriteFile (in: hFile=0x208, lpBuffer=0x5064d8*, nNumberOfBytesToWrite=0x2488, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x5064d8*, lpNumberOfBytesWritten=0x2d8f034*=0x2488, lpOverlapped=0x0) returned 1 [0039.108] GetProcessHeap () returned 0x4e0000 [0039.108] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x5064d8 | out: hHeap=0x4e0000) returned 1 [0039.108] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0039.108] WriteFile (in: hFile=0x208, lpBuffer=0x4ffe10*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x4ffe10*, lpNumberOfBytesWritten=0x2d8f034*=0x300, lpOverlapped=0x0) returned 1 [0039.108] WriteFile (in: hFile=0x208, lpBuffer=0x2d8ef80*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x2d8ef80*, lpNumberOfBytesWritten=0x2d8f034*=0x80, lpOverlapped=0x0) returned 1 [0039.108] WriteFile (in: hFile=0x208, lpBuffer=0x186230*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x186230*, lpNumberOfBytesWritten=0x2d8f034*=0x4, lpOverlapped=0x0) returned 1 [0039.108] CloseHandle (hObject=0x208) returned 1 [0039.109] GetProcessHeap () returned 0x4e0000 [0039.109] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x400) returned 0x5306d0 [0039.109] wnsprintfW (in: pszDest=0x5306d0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Setup.xml_forv_{KNUJ5K}.for") returned 94 [0039.109] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\setup.xml"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Setup.xml_forv_{KNUJ5K}.for" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\setup.xml_forv_{knuj5k}.for")) returned 1 [0039.110] GetProcessHeap () returned 0x4e0000 [0039.110] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x5306d0 | out: hHeap=0x4e0000) returned 1 [0039.110] FindNextFileW (in: hFindFile=0x535b20, lpFindFileData=0x2d8f070 | out: lpFindFileData=0x2d8f070*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x131a1c00, ftCreationTime.dwHighDateTime=0x1cacdea, ftLastAccessTime.dwLowDateTime=0x131a1c00, ftLastAccessTime.dwHighDateTime=0x1cacdea, ftLastWriteTime.dwLowDateTime=0xe84c60d0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0xe00, dwReserved0=0x0, dwReserved1=0x0, cFileName="ShellUI.MST", cAlternateFileName="")) returned 1 [0039.110] lstrcmpiW (lpString1="ShellUI.MST", lpString2="Windows") returned -1 [0039.110] lstrcmpiW (lpString1="ShellUI.MST", lpString2="$Recycle.bin") returned 1 [0039.110] lstrcmpiW (lpString1="ShellUI.MST", lpString2="System Volume Information") returned -1 [0039.111] lstrcmpiW (lpString1="ShellUI.MST", lpString2="Program Files") returned 1 [0039.111] lstrcmpiW (lpString1="ShellUI.MST", lpString2="Program Files (x86)") returned 1 [0039.111] wnsprintfW (in: pszDest=0x5354c0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\ShellUI.MST") returned 78 [0039.111] StrStrIW (lpFirst="ShellUI.MST", lpSrch=".for") returned 0x0 [0039.111] lstrcmpW (lpString1="ShellUI.MST", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0039.111] lstrcmpW (lpString1="ShellUI.MST", lpString2="taridd") returned -1 [0039.111] StrCmpNW (lpStr1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\ShellUI.MST", lpStr2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\3pRMMVYZl7L6YCH05Qf1aBB2Nvhrv3", nChar=122) returned -1 [0039.111] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\ShellUI.MST" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\shellui.mst"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x208 [0039.111] GetTickCount () returned 0x1144461 [0039.111] GetTickCount () returned 0x1144461 [0039.111] GetTickCount () returned 0x1144461 [0039.111] GetTickCount () returned 0x1144461 [0039.111] CryptEncrypt (in: hKey=0x4ff5a8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d8ef80*, pdwDataLen=0x2d8f030*=0x2c, dwBufLen=0x80 | out: pbData=0x2d8ef80*, pdwDataLen=0x2d8f030*=0x80) returned 1 [0039.111] GetProcessHeap () returned 0x4e0000 [0039.111] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x2800) returned 0x5064d8 [0039.111] ReadFile (in: hFile=0x208, lpBuffer=0x5064d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x5064d8*, lpNumberOfBytesRead=0x2d8f034*=0xe00, lpOverlapped=0x0) returned 1 [0039.113] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0xfffff200, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0039.113] WriteFile (in: hFile=0x208, lpBuffer=0x5064d8*, nNumberOfBytesToWrite=0xe00, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x5064d8*, lpNumberOfBytesWritten=0x2d8f034*=0xe00, lpOverlapped=0x0) returned 1 [0039.113] GetProcessHeap () returned 0x4e0000 [0039.113] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x5064d8 | out: hHeap=0x4e0000) returned 1 [0039.113] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0039.113] WriteFile (in: hFile=0x208, lpBuffer=0x4ffe10*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x4ffe10*, lpNumberOfBytesWritten=0x2d8f034*=0x300, lpOverlapped=0x0) returned 1 [0039.113] WriteFile (in: hFile=0x208, lpBuffer=0x2d8ef80*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x2d8ef80*, lpNumberOfBytesWritten=0x2d8f034*=0x80, lpOverlapped=0x0) returned 1 [0039.113] WriteFile (in: hFile=0x208, lpBuffer=0x186230*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x186230*, lpNumberOfBytesWritten=0x2d8f034*=0x4, lpOverlapped=0x0) returned 1 [0039.113] CloseHandle (hObject=0x208) returned 1 [0039.116] GetProcessHeap () returned 0x4e0000 [0039.116] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x400) returned 0x5306d0 [0039.116] wnsprintfW (in: pszDest=0x5306d0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\ShellUI.MST_forv_{KNUJ5K}.for") returned 96 [0039.116] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\ShellUI.MST" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\shellui.mst"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\ShellUI.MST_forv_{KNUJ5K}.for" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\shellui.mst_forv_{knuj5k}.for")) returned 1 [0039.116] GetProcessHeap () returned 0x4e0000 [0039.116] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x5306d0 | out: hHeap=0x4e0000) returned 1 [0039.116] FindNextFileW (in: hFindFile=0x535b20, lpFindFileData=0x2d8f070 | out: lpFindFileData=0x2d8f070*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x131a1c00, ftCreationTime.dwHighDateTime=0x1cacdea, ftLastAccessTime.dwLowDateTime=0x131a1c00, ftLastAccessTime.dwHighDateTime=0x1cacdea, ftLastWriteTime.dwLowDateTime=0xe84c60d0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0xe00, dwReserved0=0x0, dwReserved1=0x0, cFileName="ShellUI.MST", cAlternateFileName="")) returned 0 [0039.116] FindClose (in: hFindFile=0x535b20 | out: hFindFile=0x535b20) returned 1 [0039.116] wnsprintfW (in: pszDest=0x5354c0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 98 [0039.116] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x150 [0039.117] WriteFile (in: hFile=0x150, lpBuffer=0x186440*, nNumberOfBytesToWrite=0x2b0, lpNumberOfBytesWritten=0x2d8f03c, lpOverlapped=0x0 | out: lpBuffer=0x186440*, lpNumberOfBytesWritten=0x2d8f03c*=0x2b0, lpOverlapped=0x0) returned 1 [0039.117] CloseHandle (hObject=0x150) returned 1 [0039.118] GetProcessHeap () returned 0x4e0000 [0039.118] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x5354c0 | out: hHeap=0x4e0000) returned 1 [0039.118] FindNextFileW (in: hFindFile=0x535ae0, lpFindFileData=0x2d8f2f8 | out: lpFindFileData=0x2d8f2f8*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xfa13c510, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xfc112b50, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xfc112b50, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="{90140000-0117-0409-1000-0000000FF1CE}-C", cAlternateFileName="{9AFC7~1")) returned 1 [0039.118] lstrcmpiW (lpString1="{90140000-0117-0409-1000-0000000FF1CE}-C", lpString2="Windows") returned -1 [0039.118] lstrcmpiW (lpString1="{90140000-0117-0409-1000-0000000FF1CE}-C", lpString2="$Recycle.bin") returned 1 [0039.118] lstrcmpiW (lpString1="{90140000-0117-0409-1000-0000000FF1CE}-C", lpString2="System Volume Information") returned -1 [0039.118] lstrcmpiW (lpString1="{90140000-0117-0409-1000-0000000FF1CE}-C", lpString2="Program Files") returned -1 [0039.118] lstrcmpiW (lpString1="{90140000-0117-0409-1000-0000000FF1CE}-C", lpString2="Program Files (x86)") returned -1 [0039.118] wnsprintfW (in: pszDest=0x542af8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C") returned 66 [0039.118] lstrcmpW (lpString1="{90140000-0117-0409-1000-0000000FF1CE}-C", lpString2=".") returned 1 [0039.118] lstrcmpW (lpString1="{90140000-0117-0409-1000-0000000FF1CE}-C", lpString2="..") returned 1 [0039.118] lstrcmpW (lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0039.118] GetProcessHeap () returned 0x4e0000 [0039.118] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x400) returned 0x5354c0 [0039.118] wnsprintfW (in: pszDest=0x5354c0, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\*") returned 68 [0039.118] FindFirstFileW (in: lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\*", lpFindFileData=0x2d8f070 | out: lpFindFileData=0x2d8f070*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xfa13c510, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xfc112b50, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xfc112b50, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x535b20 [0039.120] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0039.120] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0039.120] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0039.120] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0039.120] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0039.120] wnsprintfW (in: pszDest=0x5354c0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\.") returned 68 [0039.120] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0039.120] StrStrIW (lpFirst=".", lpSrch=".for") returned 0x0 [0039.120] lstrcmpW (lpString1=".", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned -1 [0039.120] lstrcmpW (lpString1=".", lpString2="taridd") returned -1 [0039.120] StrCmpNW (lpStr1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\.", lpStr2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\3pRMMVYZl7L6YCH05Qf1aBB2Nvhrv3", nChar=122) returned -1 [0039.120] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\." (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0039.120] FindNextFileW (in: hFindFile=0x535b20, lpFindFileData=0x2d8f070 | out: lpFindFileData=0x2d8f070*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xfa13c510, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xfc112b50, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xfc112b50, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0039.120] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0039.121] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0039.121] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0039.121] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0039.121] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0039.121] wnsprintfW (in: pszDest=0x5354c0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\..") returned 69 [0039.121] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0039.121] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0039.121] StrStrIW (lpFirst="..", lpSrch=".for") returned 0x0 [0039.121] lstrcmpW (lpString1="..", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned -1 [0039.121] lstrcmpW (lpString1="..", lpString2="taridd") returned -1 [0039.121] StrCmpNW (lpStr1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\..", lpStr2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\3pRMMVYZl7L6YCH05Qf1aBB2Nvhrv3", nChar=122) returned -1 [0039.121] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\.." (normalized: "c:\\msocache\\all users"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0039.121] FindNextFileW (in: hFindFile=0x535b20, lpFindFileData=0x2d8f070 | out: lpFindFileData=0x2d8f070*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfa2b92d0, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xfc0c6890, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xfc0c6890, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Access.en-us", cAlternateFileName="ACCESS~1.EN-")) returned 1 [0039.121] lstrcmpiW (lpString1="Access.en-us", lpString2="Windows") returned -1 [0039.121] lstrcmpiW (lpString1="Access.en-us", lpString2="$Recycle.bin") returned 1 [0039.121] lstrcmpiW (lpString1="Access.en-us", lpString2="System Volume Information") returned -1 [0039.121] lstrcmpiW (lpString1="Access.en-us", lpString2="Program Files") returned -1 [0039.121] lstrcmpiW (lpString1="Access.en-us", lpString2="Program Files (x86)") returned -1 [0039.121] wnsprintfW (in: pszDest=0x5354c0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us") returned 79 [0039.121] lstrcmpW (lpString1="Access.en-us", lpString2=".") returned 1 [0039.121] lstrcmpW (lpString1="Access.en-us", lpString2="..") returned 1 [0039.121] lstrcmpW (lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0039.121] GetProcessHeap () returned 0x4e0000 [0039.121] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x400) returned 0x5306d0 [0039.121] wnsprintfW (in: pszDest=0x5306d0, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\*") returned 81 [0039.121] FindFirstFileW (in: lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\*", lpFindFileData=0x2d8ede8 | out: lpFindFileData=0x2d8ede8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfa2b92d0, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xfc0c6890, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xfc0c6890, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x535b60 [0039.123] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0039.123] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0039.123] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0039.123] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0039.123] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0039.123] wnsprintfW (in: pszDest=0x5306d0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\.") returned 81 [0039.123] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0039.123] FindNextFileW (in: hFindFile=0x535b60, lpFindFileData=0x2d8ede8 | out: lpFindFileData=0x2d8ede8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfa2b92d0, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xfc0c6890, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xfc0c6890, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0039.123] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0039.123] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0039.123] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0039.124] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0039.124] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0039.124] wnsprintfW (in: pszDest=0x5306d0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\..") returned 82 [0039.124] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0039.124] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0039.124] FindNextFileW (in: hFindFile=0x535b60, lpFindFileData=0x2d8ede8 | out: lpFindFileData=0x2d8ede8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x3e02ab00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x3e02ab00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xfa623330, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x266a00, dwReserved0=0x0, dwReserved1=0x0, cFileName="AccessMUI.msi", cAlternateFileName="ACCESS~1.MSI")) returned 1 [0039.124] lstrcmpiW (lpString1="AccessMUI.msi", lpString2="Windows") returned -1 [0039.124] lstrcmpiW (lpString1="AccessMUI.msi", lpString2="$Recycle.bin") returned 1 [0039.124] lstrcmpiW (lpString1="AccessMUI.msi", lpString2="System Volume Information") returned -1 [0039.124] lstrcmpiW (lpString1="AccessMUI.msi", lpString2="Program Files") returned -1 [0039.124] lstrcmpiW (lpString1="AccessMUI.msi", lpString2="Program Files (x86)") returned -1 [0039.124] wnsprintfW (in: pszDest=0x5306d0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.msi") returned 93 [0039.124] StrStrIW (lpFirst="AccessMUI.msi", lpSrch=".for") returned 0x0 [0039.124] lstrcmpW (lpString1="AccessMUI.msi", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0039.124] lstrcmpW (lpString1="AccessMUI.msi", lpString2="taridd") returned -1 [0039.124] StrCmpNW (lpStr1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.msi", lpStr2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\3pRMMVYZl7L6YCH05Qf1aBB2Nvhrv3", nChar=122) returned -1 [0039.124] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\accessmui.msi"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x204 [0039.125] GetTickCount () returned 0x1144470 [0039.125] GetTickCount () returned 0x1144470 [0039.125] GetTickCount () returned 0x1144470 [0039.125] GetTickCount () returned 0x1144470 [0039.125] CryptEncrypt (in: hKey=0x4ff5a8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d8ecf8*, pdwDataLen=0x2d8eda8*=0x2c, dwBufLen=0x80 | out: pbData=0x2d8ecf8*, pdwDataLen=0x2d8eda8*=0x80) returned 1 [0039.125] GetProcessHeap () returned 0x4e0000 [0039.125] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x2800) returned 0x5074e0 [0039.125] ReadFile (in: hFile=0x204, lpBuffer=0x5074e0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2d8edac, lpOverlapped=0x0 | out: lpBuffer=0x5074e0*, lpNumberOfBytesRead=0x2d8edac*=0x2800, lpOverlapped=0x0) returned 1 [0039.126] SetFilePointerEx (in: hFile=0x204, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0039.126] WriteFile (in: hFile=0x204, lpBuffer=0x5074e0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2d8edac, lpOverlapped=0x0 | out: lpBuffer=0x5074e0*, lpNumberOfBytesWritten=0x2d8edac*=0x2800, lpOverlapped=0x0) returned 1 [0039.127] GetProcessHeap () returned 0x4e0000 [0039.127] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x5074e0 | out: hHeap=0x4e0000) returned 1 [0039.127] SetFilePointerEx (in: hFile=0x204, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0039.127] WriteFile (in: hFile=0x204, lpBuffer=0x4ffe10*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x2d8edac, lpOverlapped=0x0 | out: lpBuffer=0x4ffe10*, lpNumberOfBytesWritten=0x2d8edac*=0x300, lpOverlapped=0x0) returned 1 [0039.129] WriteFile (in: hFile=0x204, lpBuffer=0x2d8ecf8*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x2d8edac, lpOverlapped=0x0 | out: lpBuffer=0x2d8ecf8*, lpNumberOfBytesWritten=0x2d8edac*=0x80, lpOverlapped=0x0) returned 1 [0039.129] WriteFile (in: hFile=0x204, lpBuffer=0x186230*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2d8edac, lpOverlapped=0x0 | out: lpBuffer=0x186230*, lpNumberOfBytesWritten=0x2d8edac*=0x4, lpOverlapped=0x0) returned 1 [0039.129] CloseHandle (hObject=0x204) returned 1 [0039.129] GetProcessHeap () returned 0x4e0000 [0039.129] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x400) returned 0x543228 [0039.129] wnsprintfW (in: pszDest=0x543228, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.msi_forv_{KNUJ5K}.for") returned 111 [0039.129] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\accessmui.msi"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.msi_forv_{KNUJ5K}.for" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\accessmui.msi_forv_{knuj5k}.for")) returned 1 [0039.130] GetProcessHeap () returned 0x4e0000 [0039.130] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x543228 | out: hHeap=0x4e0000) returned 1 [0039.130] FindNextFileW (in: hFindFile=0x535b60, lpFindFileData=0x2d8ede8 | out: lpFindFileData=0x2d8ede8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x4529b900, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x4529b900, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xfa5fe940, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x545, dwReserved0=0x0, dwReserved1=0x0, cFileName="AccessMUI.xml", cAlternateFileName="ACCESS~1.XML")) returned 1 [0039.130] lstrcmpiW (lpString1="AccessMUI.xml", lpString2="Windows") returned -1 [0039.130] lstrcmpiW (lpString1="AccessMUI.xml", lpString2="$Recycle.bin") returned 1 [0039.130] lstrcmpiW (lpString1="AccessMUI.xml", lpString2="System Volume Information") returned -1 [0039.130] lstrcmpiW (lpString1="AccessMUI.xml", lpString2="Program Files") returned -1 [0039.130] lstrcmpiW (lpString1="AccessMUI.xml", lpString2="Program Files (x86)") returned -1 [0039.130] wnsprintfW (in: pszDest=0x5306d0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.xml") returned 93 [0039.130] StrStrIW (lpFirst="AccessMUI.xml", lpSrch=".for") returned 0x0 [0039.130] lstrcmpW (lpString1="AccessMUI.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0039.130] lstrcmpW (lpString1="AccessMUI.xml", lpString2="taridd") returned -1 [0039.130] StrCmpNW (lpStr1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.xml", lpStr2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\3pRMMVYZl7L6YCH05Qf1aBB2Nvhrv3", nChar=122) returned -1 [0039.130] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\accessmui.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x204 [0039.131] GetTickCount () returned 0x1144470 [0039.131] GetTickCount () returned 0x1144470 [0039.131] GetTickCount () returned 0x1144470 [0039.131] GetTickCount () returned 0x1144470 [0039.131] CryptEncrypt (in: hKey=0x4ff5a8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d8ecf8*, pdwDataLen=0x2d8eda8*=0x2c, dwBufLen=0x80 | out: pbData=0x2d8ecf8*, pdwDataLen=0x2d8eda8*=0x80) returned 1 [0039.131] GetProcessHeap () returned 0x4e0000 [0039.131] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x2800) returned 0x5074e0 [0039.131] ReadFile (in: hFile=0x204, lpBuffer=0x5074e0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2d8edac, lpOverlapped=0x0 | out: lpBuffer=0x5074e0*, lpNumberOfBytesRead=0x2d8edac*=0x545, lpOverlapped=0x0) returned 1 [0039.135] SetFilePointerEx (in: hFile=0x204, liDistanceToMove=0xfffffabb, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0039.135] WriteFile (in: hFile=0x204, lpBuffer=0x5074e0*, nNumberOfBytesToWrite=0x545, lpNumberOfBytesWritten=0x2d8edac, lpOverlapped=0x0 | out: lpBuffer=0x5074e0*, lpNumberOfBytesWritten=0x2d8edac*=0x545, lpOverlapped=0x0) returned 1 [0039.135] GetProcessHeap () returned 0x4e0000 [0039.135] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x5074e0 | out: hHeap=0x4e0000) returned 1 [0039.135] SetFilePointerEx (in: hFile=0x204, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0039.135] WriteFile (in: hFile=0x204, lpBuffer=0x4ffe10*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x2d8edac, lpOverlapped=0x0 | out: lpBuffer=0x4ffe10*, lpNumberOfBytesWritten=0x2d8edac*=0x300, lpOverlapped=0x0) returned 1 [0039.135] WriteFile (in: hFile=0x204, lpBuffer=0x2d8ecf8*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x2d8edac, lpOverlapped=0x0 | out: lpBuffer=0x2d8ecf8*, lpNumberOfBytesWritten=0x2d8edac*=0x80, lpOverlapped=0x0) returned 1 [0039.136] WriteFile (in: hFile=0x204, lpBuffer=0x186230*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2d8edac, lpOverlapped=0x0 | out: lpBuffer=0x186230*, lpNumberOfBytesWritten=0x2d8edac*=0x4, lpOverlapped=0x0) returned 1 [0039.136] CloseHandle (hObject=0x204) returned 1 [0039.136] GetProcessHeap () returned 0x4e0000 [0039.136] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x400) returned 0x543228 [0039.136] wnsprintfW (in: pszDest=0x543228, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.xml_forv_{KNUJ5K}.for") returned 111 [0039.136] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\accessmui.xml"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.xml_forv_{KNUJ5K}.for" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\accessmui.xml_forv_{knuj5k}.for")) returned 1 [0039.136] GetProcessHeap () returned 0x4e0000 [0039.136] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x543228 | out: hHeap=0x4e0000) returned 1 [0039.136] FindNextFileW (in: hFindFile=0x535b60, lpFindFileData=0x2d8ede8 | out: lpFindFileData=0x2d8ede8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x3216e900, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x3216e900, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xfa64a430, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x1ab7e94, dwReserved0=0x0, dwReserved1=0x0, cFileName="AccLR.cab", cAlternateFileName="")) returned 1 [0039.136] lstrcmpiW (lpString1="AccLR.cab", lpString2="Windows") returned -1 [0039.137] lstrcmpiW (lpString1="AccLR.cab", lpString2="$Recycle.bin") returned 1 [0039.137] lstrcmpiW (lpString1="AccLR.cab", lpString2="System Volume Information") returned -1 [0039.137] lstrcmpiW (lpString1="AccLR.cab", lpString2="Program Files") returned -1 [0039.137] lstrcmpiW (lpString1="AccLR.cab", lpString2="Program Files (x86)") returned -1 [0039.137] wnsprintfW (in: pszDest=0x5306d0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccLR.cab") returned 89 [0039.137] StrStrIW (lpFirst="AccLR.cab", lpSrch=".for") returned 0x0 [0039.137] lstrcmpW (lpString1="AccLR.cab", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0039.137] lstrcmpW (lpString1="AccLR.cab", lpString2="taridd") returned -1 [0039.137] StrCmpNW (lpStr1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccLR.cab", lpStr2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\3pRMMVYZl7L6YCH05Qf1aBB2Nvhrv3", nChar=122) returned -1 [0039.137] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\acclr.cab"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x204 [0039.139] GetTickCount () returned 0x1144470 [0039.139] GetTickCount () returned 0x1144470 [0039.139] GetTickCount () returned 0x1144470 [0039.139] GetTickCount () returned 0x1144470 [0039.139] CryptEncrypt (in: hKey=0x4ff5a8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d8ecf8*, pdwDataLen=0x2d8eda8*=0x2c, dwBufLen=0x80 | out: pbData=0x2d8ecf8*, pdwDataLen=0x2d8eda8*=0x80) returned 1 [0039.140] GetProcessHeap () returned 0x4e0000 [0039.140] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x2800) returned 0x5074e0 [0039.140] ReadFile (in: hFile=0x204, lpBuffer=0x5074e0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2d8edac, lpOverlapped=0x0 | out: lpBuffer=0x5074e0*, lpNumberOfBytesRead=0x2d8edac*=0x2800, lpOverlapped=0x0) returned 1 [0039.144] SetFilePointerEx (in: hFile=0x204, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0039.144] WriteFile (in: hFile=0x204, lpBuffer=0x5074e0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2d8edac, lpOverlapped=0x0 | out: lpBuffer=0x5074e0*, lpNumberOfBytesWritten=0x2d8edac*=0x2800, lpOverlapped=0x0) returned 1 [0039.144] GetProcessHeap () returned 0x4e0000 [0039.144] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x5074e0 | out: hHeap=0x4e0000) returned 1 [0039.144] SetFilePointerEx (in: hFile=0x204, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0039.144] WriteFile (in: hFile=0x204, lpBuffer=0x4ffe10*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x2d8edac, lpOverlapped=0x0 | out: lpBuffer=0x4ffe10*, lpNumberOfBytesWritten=0x2d8edac*=0x300, lpOverlapped=0x0) returned 1 [0039.147] WriteFile (in: hFile=0x204, lpBuffer=0x2d8ecf8*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x2d8edac, lpOverlapped=0x0 | out: lpBuffer=0x2d8ecf8*, lpNumberOfBytesWritten=0x2d8edac*=0x80, lpOverlapped=0x0) returned 1 [0039.147] WriteFile (in: hFile=0x204, lpBuffer=0x186230*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2d8edac, lpOverlapped=0x0 | out: lpBuffer=0x186230*, lpNumberOfBytesWritten=0x2d8edac*=0x4, lpOverlapped=0x0) returned 1 [0039.147] CloseHandle (hObject=0x204) returned 1 [0039.147] GetProcessHeap () returned 0x4e0000 [0039.147] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x400) returned 0x543228 [0039.147] wnsprintfW (in: pszDest=0x543228, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccLR.cab_forv_{KNUJ5K}.for") returned 107 [0039.147] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\acclr.cab"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccLR.cab_forv_{KNUJ5K}.for" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\acclr.cab_forv_{knuj5k}.for")) returned 1 [0039.148] GetProcessHeap () returned 0x4e0000 [0039.148] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x543228 | out: hHeap=0x4e0000) returned 1 [0039.148] FindNextFileW (in: hFindFile=0x535b60, lpFindFileData=0x2d8ede8 | out: lpFindFileData=0x2d8ede8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x11e8ef00, ftCreationTime.dwHighDateTime=0x1cacdea, ftLastAccessTime.dwLowDateTime=0x11e8ef00, ftLastAccessTime.dwHighDateTime=0x1cacdea, ftLastWriteTime.dwLowDateTime=0xfc0c60c0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x91975, dwReserved0=0x0, dwReserved1=0x0, cFileName="branding.xml", cAlternateFileName="")) returned 1 [0039.148] lstrcmpiW (lpString1="branding.xml", lpString2="Windows") returned -1 [0039.148] lstrcmpiW (lpString1="branding.xml", lpString2="$Recycle.bin") returned 1 [0039.148] lstrcmpiW (lpString1="branding.xml", lpString2="System Volume Information") returned -1 [0039.148] lstrcmpiW (lpString1="branding.xml", lpString2="Program Files") returned -1 [0039.148] lstrcmpiW (lpString1="branding.xml", lpString2="Program Files (x86)") returned -1 [0039.148] wnsprintfW (in: pszDest=0x5306d0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml") returned 92 [0039.148] StrStrIW (lpFirst="branding.xml", lpSrch=".for") returned 0x0 [0039.148] lstrcmpW (lpString1="branding.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0039.148] lstrcmpW (lpString1="branding.xml", lpString2="taridd") returned -1 [0039.148] StrCmpNW (lpStr1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml", lpStr2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\3pRMMVYZl7L6YCH05Qf1aBB2Nvhrv3", nChar=122) returned -1 [0039.148] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\branding.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x204 [0039.149] GetTickCount () returned 0x1144480 [0039.149] GetTickCount () returned 0x1144480 [0039.149] GetTickCount () returned 0x1144480 [0039.149] GetTickCount () returned 0x1144480 [0039.149] CryptEncrypt (in: hKey=0x4ff5a8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d8ecf8*, pdwDataLen=0x2d8eda8*=0x2c, dwBufLen=0x80 | out: pbData=0x2d8ecf8*, pdwDataLen=0x2d8eda8*=0x80) returned 1 [0039.150] GetProcessHeap () returned 0x4e0000 [0039.150] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x2800) returned 0x5074e0 [0039.150] ReadFile (in: hFile=0x204, lpBuffer=0x5074e0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2d8edac, lpOverlapped=0x0 | out: lpBuffer=0x5074e0*, lpNumberOfBytesRead=0x2d8edac*=0x2800, lpOverlapped=0x0) returned 1 [0039.165] SetFilePointerEx (in: hFile=0x204, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0039.165] WriteFile (in: hFile=0x204, lpBuffer=0x5074e0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2d8edac, lpOverlapped=0x0 | out: lpBuffer=0x5074e0*, lpNumberOfBytesWritten=0x2d8edac*=0x2800, lpOverlapped=0x0) returned 1 [0039.165] GetProcessHeap () returned 0x4e0000 [0039.165] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x5074e0 | out: hHeap=0x4e0000) returned 1 [0039.165] SetFilePointerEx (in: hFile=0x204, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0039.166] WriteFile (in: hFile=0x204, lpBuffer=0x4ffe10*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x2d8edac, lpOverlapped=0x0 | out: lpBuffer=0x4ffe10*, lpNumberOfBytesWritten=0x2d8edac*=0x300, lpOverlapped=0x0) returned 1 [0039.168] WriteFile (in: hFile=0x204, lpBuffer=0x2d8ecf8*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x2d8edac, lpOverlapped=0x0 | out: lpBuffer=0x2d8ecf8*, lpNumberOfBytesWritten=0x2d8edac*=0x80, lpOverlapped=0x0) returned 1 [0039.168] WriteFile (in: hFile=0x204, lpBuffer=0x186230*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2d8edac, lpOverlapped=0x0 | out: lpBuffer=0x186230*, lpNumberOfBytesWritten=0x2d8edac*=0x4, lpOverlapped=0x0) returned 1 [0039.168] CloseHandle (hObject=0x204) returned 1 [0039.168] GetProcessHeap () returned 0x4e0000 [0039.168] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x400) returned 0x543228 [0039.168] wnsprintfW (in: pszDest=0x543228, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml_forv_{KNUJ5K}.for") returned 110 [0039.168] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\branding.xml"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml_forv_{KNUJ5K}.for" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\branding.xml_forv_{knuj5k}.for")) returned 1 [0039.168] GetProcessHeap () returned 0x4e0000 [0039.168] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x543228 | out: hHeap=0x4e0000) returned 1 [0039.168] FindNextFileW (in: hFindFile=0x535b60, lpFindFileData=0x2d8ede8 | out: lpFindFileData=0x2d8ede8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x11e8ef00, ftCreationTime.dwHighDateTime=0x1cacdea, ftLastAccessTime.dwLowDateTime=0x11e8ef00, ftLastAccessTime.dwHighDateTime=0x1cacdea, ftLastWriteTime.dwLowDateTime=0xfc0c60c0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x91975, dwReserved0=0x0, dwReserved1=0x0, cFileName="branding.xml", cAlternateFileName="")) returned 0 [0039.168] FindClose (in: hFindFile=0x535b60 | out: hFindFile=0x535b60) returned 1 [0039.169] wnsprintfW (in: pszDest=0x5306d0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 111 [0039.169] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x208 [0039.169] WriteFile (in: hFile=0x208, lpBuffer=0x186440*, nNumberOfBytesToWrite=0x2b0, lpNumberOfBytesWritten=0x2d8edb4, lpOverlapped=0x0 | out: lpBuffer=0x186440*, lpNumberOfBytesWritten=0x2d8edb4*=0x2b0, lpOverlapped=0x0) returned 1 [0039.170] CloseHandle (hObject=0x208) returned 1 [0039.170] GetProcessHeap () returned 0x4e0000 [0039.170] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x5306d0 | out: hHeap=0x4e0000) returned 1 [0039.170] FindNextFileW (in: hFindFile=0x535b20, lpFindFileData=0x2d8f070 | out: lpFindFileData=0x2d8f070*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x3f33d800, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x3f33d800, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xfa160f00, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0xd4200, dwReserved0=0x0, dwReserved1=0x0, cFileName="AccessMUISet.msi", cAlternateFileName="ACCESS~1.MSI")) returned 1 [0039.170] lstrcmpiW (lpString1="AccessMUISet.msi", lpString2="Windows") returned -1 [0039.170] lstrcmpiW (lpString1="AccessMUISet.msi", lpString2="$Recycle.bin") returned 1 [0039.170] lstrcmpiW (lpString1="AccessMUISet.msi", lpString2="System Volume Information") returned -1 [0039.170] lstrcmpiW (lpString1="AccessMUISet.msi", lpString2="Program Files") returned -1 [0039.170] lstrcmpiW (lpString1="AccessMUISet.msi", lpString2="Program Files (x86)") returned -1 [0039.170] wnsprintfW (in: pszDest=0x5354c0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.msi") returned 83 [0039.170] StrStrIW (lpFirst="AccessMUISet.msi", lpSrch=".for") returned 0x0 [0039.170] lstrcmpW (lpString1="AccessMUISet.msi", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0039.170] lstrcmpW (lpString1="AccessMUISet.msi", lpString2="taridd") returned -1 [0039.170] StrCmpNW (lpStr1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.msi", lpStr2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\3pRMMVYZl7L6YCH05Qf1aBB2Nvhrv3", nChar=122) returned -1 [0039.170] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.msi" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\accessmuiset.msi"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x208 [0039.170] GetTickCount () returned 0x114448f [0039.170] GetTickCount () returned 0x114448f [0039.170] GetTickCount () returned 0x114448f [0039.170] GetTickCount () returned 0x114448f [0039.170] CryptEncrypt (in: hKey=0x4ff5a8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d8ef80*, pdwDataLen=0x2d8f030*=0x2c, dwBufLen=0x80 | out: pbData=0x2d8ef80*, pdwDataLen=0x2d8f030*=0x80) returned 1 [0039.170] GetProcessHeap () returned 0x4e0000 [0039.170] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x2800) returned 0x5064d8 [0039.171] ReadFile (in: hFile=0x208, lpBuffer=0x5064d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x5064d8*, lpNumberOfBytesRead=0x2d8f034*=0x2800, lpOverlapped=0x0) returned 1 [0039.173] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0039.173] WriteFile (in: hFile=0x208, lpBuffer=0x5064d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x5064d8*, lpNumberOfBytesWritten=0x2d8f034*=0x2800, lpOverlapped=0x0) returned 1 [0039.173] GetProcessHeap () returned 0x4e0000 [0039.173] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x5064d8 | out: hHeap=0x4e0000) returned 1 [0039.173] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0039.173] WriteFile (in: hFile=0x208, lpBuffer=0x4ffe10*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x4ffe10*, lpNumberOfBytesWritten=0x2d8f034*=0x300, lpOverlapped=0x0) returned 1 [0039.175] WriteFile (in: hFile=0x208, lpBuffer=0x2d8ef80*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x2d8ef80*, lpNumberOfBytesWritten=0x2d8f034*=0x80, lpOverlapped=0x0) returned 1 [0039.175] WriteFile (in: hFile=0x208, lpBuffer=0x186230*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x186230*, lpNumberOfBytesWritten=0x2d8f034*=0x4, lpOverlapped=0x0) returned 1 [0039.175] CloseHandle (hObject=0x208) returned 1 [0039.175] GetProcessHeap () returned 0x4e0000 [0039.175] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x400) returned 0x5306d0 [0039.175] wnsprintfW (in: pszDest=0x5306d0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.msi_forv_{KNUJ5K}.for") returned 101 [0039.175] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.msi" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\accessmuiset.msi"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.msi_forv_{KNUJ5K}.for" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\accessmuiset.msi_forv_{knuj5k}.for")) returned 1 [0039.176] GetProcessHeap () returned 0x4e0000 [0039.176] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x5306d0 | out: hHeap=0x4e0000) returned 1 [0039.176] FindNextFileW (in: hFindFile=0x535b20, lpFindFileData=0x2d8f070 | out: lpFindFileData=0x2d8f070*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x4529b900, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x4529b900, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xfa13c510, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x333, dwReserved0=0x0, dwReserved1=0x0, cFileName="AccessMUISet.xml", cAlternateFileName="ACCESS~1.XML")) returned 1 [0039.176] lstrcmpiW (lpString1="AccessMUISet.xml", lpString2="Windows") returned -1 [0039.176] lstrcmpiW (lpString1="AccessMUISet.xml", lpString2="$Recycle.bin") returned 1 [0039.176] lstrcmpiW (lpString1="AccessMUISet.xml", lpString2="System Volume Information") returned -1 [0039.176] lstrcmpiW (lpString1="AccessMUISet.xml", lpString2="Program Files") returned -1 [0039.176] lstrcmpiW (lpString1="AccessMUISet.xml", lpString2="Program Files (x86)") returned -1 [0039.176] wnsprintfW (in: pszDest=0x5354c0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.xml") returned 83 [0039.176] StrStrIW (lpFirst="AccessMUISet.xml", lpSrch=".for") returned 0x0 [0039.176] lstrcmpW (lpString1="AccessMUISet.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0039.176] lstrcmpW (lpString1="AccessMUISet.xml", lpString2="taridd") returned -1 [0039.176] StrCmpNW (lpStr1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.xml", lpStr2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\3pRMMVYZl7L6YCH05Qf1aBB2Nvhrv3", nChar=122) returned -1 [0039.176] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.xml" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\accessmuiset.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x208 [0039.176] GetTickCount () returned 0x114449f [0039.176] GetTickCount () returned 0x114449f [0039.176] GetTickCount () returned 0x114449f [0039.176] GetTickCount () returned 0x114449f [0039.176] CryptEncrypt (in: hKey=0x4ff5a8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d8ef80*, pdwDataLen=0x2d8f030*=0x2c, dwBufLen=0x80 | out: pbData=0x2d8ef80*, pdwDataLen=0x2d8f030*=0x80) returned 1 [0039.177] GetProcessHeap () returned 0x4e0000 [0039.177] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x2800) returned 0x5064d8 [0039.177] ReadFile (in: hFile=0x208, lpBuffer=0x5064d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x5064d8*, lpNumberOfBytesRead=0x2d8f034*=0x333, lpOverlapped=0x0) returned 1 [0039.178] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0xfffffccd, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0039.178] WriteFile (in: hFile=0x208, lpBuffer=0x5064d8*, nNumberOfBytesToWrite=0x333, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x5064d8*, lpNumberOfBytesWritten=0x2d8f034*=0x333, lpOverlapped=0x0) returned 1 [0039.178] GetProcessHeap () returned 0x4e0000 [0039.178] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x5064d8 | out: hHeap=0x4e0000) returned 1 [0039.179] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0039.179] WriteFile (in: hFile=0x208, lpBuffer=0x4ffe10*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x4ffe10*, lpNumberOfBytesWritten=0x2d8f034*=0x300, lpOverlapped=0x0) returned 1 [0039.179] WriteFile (in: hFile=0x208, lpBuffer=0x2d8ef80*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x2d8ef80*, lpNumberOfBytesWritten=0x2d8f034*=0x80, lpOverlapped=0x0) returned 1 [0039.179] WriteFile (in: hFile=0x208, lpBuffer=0x186230*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x186230*, lpNumberOfBytesWritten=0x2d8f034*=0x4, lpOverlapped=0x0) returned 1 [0039.179] CloseHandle (hObject=0x208) returned 1 [0039.179] GetProcessHeap () returned 0x4e0000 [0039.179] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x400) returned 0x5306d0 [0039.179] wnsprintfW (in: pszDest=0x5306d0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.xml_forv_{KNUJ5K}.for") returned 101 [0039.179] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.xml" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\accessmuiset.xml"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.xml_forv_{KNUJ5K}.for" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\accessmuiset.xml_forv_{knuj5k}.for")) returned 1 [0039.179] GetProcessHeap () returned 0x4e0000 [0039.179] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x5306d0 | out: hHeap=0x4e0000) returned 1 [0039.179] FindNextFileW (in: hFindFile=0x535b20, lpFindFileData=0x2d8f070 | out: lpFindFileData=0x2d8f070*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x43f88c00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x43f88c00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xfc111bb0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0xa40, dwReserved0=0x0, dwReserved1=0x0, cFileName="Setup.xml", cAlternateFileName="")) returned 1 [0039.180] lstrcmpiW (lpString1="Setup.xml", lpString2="Windows") returned -1 [0039.180] lstrcmpiW (lpString1="Setup.xml", lpString2="$Recycle.bin") returned 1 [0039.180] lstrcmpiW (lpString1="Setup.xml", lpString2="System Volume Information") returned -1 [0039.180] lstrcmpiW (lpString1="Setup.xml", lpString2="Program Files") returned 1 [0039.180] lstrcmpiW (lpString1="Setup.xml", lpString2="Program Files (x86)") returned 1 [0039.180] wnsprintfW (in: pszDest=0x5354c0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 76 [0039.180] StrStrIW (lpFirst="Setup.xml", lpSrch=".for") returned 0x0 [0039.180] lstrcmpW (lpString1="Setup.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0039.180] lstrcmpW (lpString1="Setup.xml", lpString2="taridd") returned -1 [0039.180] StrCmpNW (lpStr1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Setup.xml", lpStr2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\3pRMMVYZl7L6YCH05Qf1aBB2Nvhrv3", nChar=122) returned -1 [0039.180] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x208 [0039.180] GetTickCount () returned 0x114449f [0039.180] GetTickCount () returned 0x114449f [0039.180] GetTickCount () returned 0x114449f [0039.180] GetTickCount () returned 0x114449f [0039.180] CryptEncrypt (in: hKey=0x4ff5a8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d8ef80*, pdwDataLen=0x2d8f030*=0x2c, dwBufLen=0x80 | out: pbData=0x2d8ef80*, pdwDataLen=0x2d8f030*=0x80) returned 1 [0039.180] GetProcessHeap () returned 0x4e0000 [0039.180] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x2800) returned 0x5064d8 [0039.180] ReadFile (in: hFile=0x208, lpBuffer=0x5064d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x5064d8*, lpNumberOfBytesRead=0x2d8f034*=0xa40, lpOverlapped=0x0) returned 1 [0039.183] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0xfffff5c0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0039.184] WriteFile (in: hFile=0x208, lpBuffer=0x5064d8*, nNumberOfBytesToWrite=0xa40, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x5064d8*, lpNumberOfBytesWritten=0x2d8f034*=0xa40, lpOverlapped=0x0) returned 1 [0039.184] GetProcessHeap () returned 0x4e0000 [0039.184] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x5064d8 | out: hHeap=0x4e0000) returned 1 [0039.184] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0039.184] WriteFile (in: hFile=0x208, lpBuffer=0x4ffe10*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x4ffe10*, lpNumberOfBytesWritten=0x2d8f034*=0x300, lpOverlapped=0x0) returned 1 [0039.184] WriteFile (in: hFile=0x208, lpBuffer=0x2d8ef80*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x2d8ef80*, lpNumberOfBytesWritten=0x2d8f034*=0x80, lpOverlapped=0x0) returned 1 [0039.184] WriteFile (in: hFile=0x208, lpBuffer=0x186230*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x186230*, lpNumberOfBytesWritten=0x2d8f034*=0x4, lpOverlapped=0x0) returned 1 [0039.184] CloseHandle (hObject=0x208) returned 1 [0039.184] GetProcessHeap () returned 0x4e0000 [0039.184] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x400) returned 0x5306d0 [0039.184] wnsprintfW (in: pszDest=0x5306d0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Setup.xml_forv_{KNUJ5K}.for") returned 94 [0039.184] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\setup.xml"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Setup.xml_forv_{KNUJ5K}.for" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\setup.xml_forv_{knuj5k}.for")) returned 1 [0039.185] GetProcessHeap () returned 0x4e0000 [0039.185] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x5306d0 | out: hHeap=0x4e0000) returned 1 [0039.185] FindNextFileW (in: hFindFile=0x535b20, lpFindFileData=0x2d8f070 | out: lpFindFileData=0x2d8f070*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x43f88c00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x43f88c00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xfc111bb0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0xa40, dwReserved0=0x0, dwReserved1=0x0, cFileName="Setup.xml", cAlternateFileName="")) returned 0 [0039.185] FindClose (in: hFindFile=0x535b20 | out: hFindFile=0x535b20) returned 1 [0039.185] wnsprintfW (in: pszDest=0x5354c0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 98 [0039.185] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x150 [0039.185] WriteFile (in: hFile=0x150, lpBuffer=0x186440*, nNumberOfBytesToWrite=0x2b0, lpNumberOfBytesWritten=0x2d8f03c, lpOverlapped=0x0 | out: lpBuffer=0x186440*, lpNumberOfBytesWritten=0x2d8f03c*=0x2b0, lpOverlapped=0x0) returned 1 [0039.186] CloseHandle (hObject=0x150) returned 1 [0039.186] GetProcessHeap () returned 0x4e0000 [0039.186] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x5354c0 | out: hHeap=0x4e0000) returned 1 [0039.186] FindNextFileW (in: hFindFile=0x535ae0, lpFindFileData=0x2d8f2f8 | out: lpFindFileData=0x2d8f2f8*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xfe09ced0, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0x18179b90, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x18179b90, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="{91140000-0011-0000-1000-0000000FF1CE}-C", cAlternateFileName="{91140~1")) returned 1 [0039.186] lstrcmpiW (lpString1="{91140000-0011-0000-1000-0000000FF1CE}-C", lpString2="Windows") returned -1 [0039.186] lstrcmpiW (lpString1="{91140000-0011-0000-1000-0000000FF1CE}-C", lpString2="$Recycle.bin") returned 1 [0039.186] lstrcmpiW (lpString1="{91140000-0011-0000-1000-0000000FF1CE}-C", lpString2="System Volume Information") returned -1 [0039.186] lstrcmpiW (lpString1="{91140000-0011-0000-1000-0000000FF1CE}-C", lpString2="Program Files") returned -1 [0039.186] lstrcmpiW (lpString1="{91140000-0011-0000-1000-0000000FF1CE}-C", lpString2="Program Files (x86)") returned -1 [0039.186] wnsprintfW (in: pszDest=0x542af8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C") returned 66 [0039.186] lstrcmpW (lpString1="{91140000-0011-0000-1000-0000000FF1CE}-C", lpString2=".") returned 1 [0039.186] lstrcmpW (lpString1="{91140000-0011-0000-1000-0000000FF1CE}-C", lpString2="..") returned 1 [0039.186] lstrcmpW (lpString1="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0039.186] GetProcessHeap () returned 0x4e0000 [0039.186] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x400) returned 0x5354c0 [0039.186] wnsprintfW (in: pszDest=0x5354c0, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\*") returned 68 [0039.186] FindFirstFileW (in: lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\*", lpFindFileData=0x2d8f070 | out: lpFindFileData=0x2d8f070*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xfe09ced0, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0x18179b90, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x18179b90, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x535b20 [0039.194] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0039.195] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0039.282] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0039.331] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0039.332] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0039.332] wnsprintfW (in: pszDest=0x5354c0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\.") returned 68 [0039.333] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0039.334] StrStrIW (lpFirst=".", lpSrch=".for") returned 0x0 [0039.334] lstrcmpW (lpString1=".", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned -1 [0039.334] lstrcmpW (lpString1=".", lpString2="taridd") returned -1 [0039.335] StrCmpNW (lpStr1="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\.", lpStr2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\3pRMMVYZl7L6YCH05Qf1aBB2Nvhrv3", nChar=122) returned -1 [0039.336] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\." (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0039.341] FindNextFileW (in: hFindFile=0x535b20, lpFindFileData=0x2d8f070 | out: lpFindFileData=0x2d8f070*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xfe09ced0, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0x18179b90, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x18179b90, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0039.343] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0039.344] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0039.344] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0039.344] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0039.345] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0039.346] wnsprintfW (in: pszDest=0x5354c0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\..") returned 69 [0039.346] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0039.346] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0039.347] StrStrIW (lpFirst="..", lpSrch=".for") returned 0x0 [0039.348] lstrcmpW (lpString1="..", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned -1 [0039.349] lstrcmpW (lpString1="..", lpString2="taridd") returned -1 [0039.349] StrCmpNW (lpStr1="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\..", lpStr2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\3pRMMVYZl7L6YCH05Qf1aBB2Nvhrv3", nChar=122) returned -1 [0039.350] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\.." (normalized: "c:\\msocache\\all users"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0039.352] FindNextFileW (in: hFindFile=0x535b20, lpFindFileData=0x2d8f070 | out: lpFindFileData=0x2d8f070*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x34ae1a00, ftCreationTime.dwHighDateTime=0x1cad01b, ftLastAccessTime.dwLowDateTime=0x34ae1a00, ftLastAccessTime.dwHighDateTime=0x1cad01b, ftLastWriteTime.dwLowDateTime=0xfe0c2860, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x1e6600, dwReserved0=0x0, dwReserved1=0x0, cFileName="Office32WW.msi", cAlternateFileName="OFFICE~1.MSI")) returned 1 [0039.353] lstrcmpiW (lpString1="Office32WW.msi", lpString2="Windows") returned -1 [0039.354] lstrcmpiW (lpString1="Office32WW.msi", lpString2="$Recycle.bin") returned 1 [0039.354] lstrcmpiW (lpString1="Office32WW.msi", lpString2="System Volume Information") returned -1 [0039.355] lstrcmpiW (lpString1="Office32WW.msi", lpString2="Program Files") returned -1 [0039.355] lstrcmpiW (lpString1="Office32WW.msi", lpString2="Program Files (x86)") returned -1 [0039.356] wnsprintfW (in: pszDest=0x5354c0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.msi") returned 81 [0039.356] StrStrIW (lpFirst="Office32WW.msi", lpSrch=".for") returned 0x0 [0039.356] lstrcmpW (lpString1="Office32WW.msi", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0039.358] lstrcmpW (lpString1="Office32WW.msi", lpString2="taridd") returned -1 [0039.358] StrCmpNW (lpStr1="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.msi", lpStr2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\3pRMMVYZl7L6YCH05Qf1aBB2Nvhrv3", nChar=122) returned -1 [0039.359] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.msi" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\office32ww.msi"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x208 [0039.370] GetTickCount () returned 0x114455a [0039.370] GetTickCount () returned 0x114455a [0039.370] GetTickCount () returned 0x114455a [0039.371] GetTickCount () returned 0x114455a [0039.373] CryptEncrypt (in: hKey=0x4ff5a8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d8ef80*, pdwDataLen=0x2d8f030*=0x2c, dwBufLen=0x80 | out: pbData=0x2d8ef80*, pdwDataLen=0x2d8f030*=0x80) returned 1 [0039.375] GetProcessHeap () returned 0x4e0000 [0039.375] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x2800) returned 0x5064d8 [0039.377] ReadFile (in: hFile=0x208, lpBuffer=0x5064d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x5064d8*, lpNumberOfBytesRead=0x2d8f034*=0x2800, lpOverlapped=0x0) returned 1 [0039.396] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0039.398] WriteFile (in: hFile=0x208, lpBuffer=0x5064d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x5064d8*, lpNumberOfBytesWritten=0x2d8f034*=0x2800, lpOverlapped=0x0) returned 1 [0039.404] GetProcessHeap () returned 0x4e0000 [0039.405] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x5064d8 | out: hHeap=0x4e0000) returned 1 [0039.405] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0039.407] WriteFile (in: hFile=0x208, lpBuffer=0x4ffe10*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x4ffe10*, lpNumberOfBytesWritten=0x2d8f034*=0x300, lpOverlapped=0x0) returned 1 [0039.426] WriteFile (in: hFile=0x208, lpBuffer=0x2d8ef80*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x2d8ef80*, lpNumberOfBytesWritten=0x2d8f034*=0x80, lpOverlapped=0x0) returned 1 [0039.429] WriteFile (in: hFile=0x208, lpBuffer=0x186230*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x186230*, lpNumberOfBytesWritten=0x2d8f034*=0x4, lpOverlapped=0x0) returned 1 [0039.430] CloseHandle (hObject=0x208) returned 1 [0039.434] GetProcessHeap () returned 0x4e0000 [0039.434] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x400) returned 0x5306d0 [0039.435] wnsprintfW (in: pszDest=0x5306d0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.msi_forv_{KNUJ5K}.for") returned 99 [0039.437] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.msi" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\office32ww.msi"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.msi_forv_{KNUJ5K}.for" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\office32ww.msi_forv_{knuj5k}.for")) returned 1 [0039.447] GetProcessHeap () returned 0x4e0000 [0039.448] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x5306d0 | out: hHeap=0x4e0000) returned 1 [0039.449] FindNextFileW (in: hFindFile=0x535b20, lpFindFileData=0x2d8f070 | out: lpFindFileData=0x2d8f070*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x940c2a00, ftCreationTime.dwHighDateTime=0x1cad01b, ftLastAccessTime.dwLowDateTime=0x940c2a00, ftLastAccessTime.dwHighDateTime=0x1cad01b, ftLastWriteTime.dwLowDateTime=0xfe09b760, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x10b2, dwReserved0=0x0, dwReserved1=0x0, cFileName="Office32WW.xml", cAlternateFileName="OFFICE~1.XML")) returned 1 [0039.450] lstrcmpiW (lpString1="Office32WW.xml", lpString2="Windows") returned -1 [0039.451] lstrcmpiW (lpString1="Office32WW.xml", lpString2="$Recycle.bin") returned 1 [0039.451] lstrcmpiW (lpString1="Office32WW.xml", lpString2="System Volume Information") returned -1 [0039.452] lstrcmpiW (lpString1="Office32WW.xml", lpString2="Program Files") returned -1 [0039.452] lstrcmpiW (lpString1="Office32WW.xml", lpString2="Program Files (x86)") returned -1 [0039.453] wnsprintfW (in: pszDest=0x5354c0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.xml") returned 81 [0039.453] StrStrIW (lpFirst="Office32WW.xml", lpSrch=".for") returned 0x0 [0039.453] lstrcmpW (lpString1="Office32WW.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0039.454] lstrcmpW (lpString1="Office32WW.xml", lpString2="taridd") returned -1 [0039.455] StrCmpNW (lpStr1="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.xml", lpStr2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\3pRMMVYZl7L6YCH05Qf1aBB2Nvhrv3", nChar=122) returned -1 [0039.455] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.xml" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\office32ww.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x208 [0039.460] GetTickCount () returned 0x11445b8 [0039.460] GetTickCount () returned 0x11445b8 [0039.460] GetTickCount () returned 0x11445b8 [0039.461] GetTickCount () returned 0x11445b8 [0039.462] CryptEncrypt (in: hKey=0x4ff5a8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d8ef80*, pdwDataLen=0x2d8f030*=0x2c, dwBufLen=0x80 | out: pbData=0x2d8ef80*, pdwDataLen=0x2d8f030*=0x80) returned 1 [0039.470] GetProcessHeap () returned 0x4e0000 [0039.470] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x2800) returned 0x5064d8 [0039.472] ReadFile (in: hFile=0x208, lpBuffer=0x5064d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x5064d8*, lpNumberOfBytesRead=0x2d8f034*=0x10b2, lpOverlapped=0x0) returned 1 [0039.493] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0xffffef4e, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0039.495] WriteFile (in: hFile=0x208, lpBuffer=0x5064d8*, nNumberOfBytesToWrite=0x10b2, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x5064d8*, lpNumberOfBytesWritten=0x2d8f034*=0x10b2, lpOverlapped=0x0) returned 1 [0039.497] GetProcessHeap () returned 0x4e0000 [0039.497] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x5064d8 | out: hHeap=0x4e0000) returned 1 [0039.498] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0039.499] WriteFile (in: hFile=0x208, lpBuffer=0x4ffe10*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x4ffe10*, lpNumberOfBytesWritten=0x2d8f034*=0x300, lpOverlapped=0x0) returned 1 [0039.501] WriteFile (in: hFile=0x208, lpBuffer=0x2d8ef80*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x2d8ef80*, lpNumberOfBytesWritten=0x2d8f034*=0x80, lpOverlapped=0x0) returned 1 [0039.502] WriteFile (in: hFile=0x208, lpBuffer=0x186230*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x186230*, lpNumberOfBytesWritten=0x2d8f034*=0x4, lpOverlapped=0x0) returned 1 [0039.503] CloseHandle (hObject=0x208) returned 1 [0039.506] GetProcessHeap () returned 0x4e0000 [0039.506] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x400) returned 0x5306d0 [0039.507] wnsprintfW (in: pszDest=0x5306d0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.xml_forv_{KNUJ5K}.for") returned 99 [0039.508] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.xml" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\office32ww.xml"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.xml_forv_{KNUJ5K}.for" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\office32ww.xml_forv_{knuj5k}.for")) returned 1 [0039.519] GetProcessHeap () returned 0x4e0000 [0039.519] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x5306d0 | out: hHeap=0x4e0000) returned 1 [0039.520] FindNextFileW (in: hFindFile=0x535b20, lpFindFileData=0x2d8f070 | out: lpFindFileData=0x2d8f070*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xf885a000, ftCreationTime.dwHighDateTime=0x1cac4d7, ftLastAccessTime.dwLowDateTime=0xf885a000, ftLastAccessTime.dwHighDateTime=0x1cac4d7, ftLastWriteTime.dwLowDateTime=0x17c42c30, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x2a968, dwReserved0=0x0, dwReserved1=0x0, cFileName="ose.exe", cAlternateFileName="")) returned 1 [0039.520] lstrcmpiW (lpString1="ose.exe", lpString2="Windows") returned -1 [0039.521] lstrcmpiW (lpString1="ose.exe", lpString2="$Recycle.bin") returned 1 [0039.521] lstrcmpiW (lpString1="ose.exe", lpString2="System Volume Information") returned -1 [0039.522] lstrcmpiW (lpString1="ose.exe", lpString2="Program Files") returned -1 [0039.522] lstrcmpiW (lpString1="ose.exe", lpString2="Program Files (x86)") returned -1 [0039.523] wnsprintfW (in: pszDest=0x5354c0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ose.exe") returned 74 [0039.524] StrStrIW (lpFirst="ose.exe", lpSrch=".for") returned 0x0 [0039.524] lstrcmpW (lpString1="ose.exe", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0039.524] lstrcmpW (lpString1="ose.exe", lpString2="taridd") returned -1 [0039.525] StrCmpNW (lpStr1="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ose.exe", lpStr2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\3pRMMVYZl7L6YCH05Qf1aBB2Nvhrv3", nChar=122) returned -1 [0039.526] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ose.exe" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\ose.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x208 [0039.537] GetTickCount () returned 0x1144606 [0039.537] GetTickCount () returned 0x1144606 [0039.538] GetTickCount () returned 0x1144606 [0039.538] GetTickCount () returned 0x1144606 [0039.538] CryptEncrypt (in: hKey=0x4ff5a8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d8ef80*, pdwDataLen=0x2d8f030*=0x2c, dwBufLen=0x80 | out: pbData=0x2d8ef80*, pdwDataLen=0x2d8f030*=0x80) returned 1 [0039.543] GetProcessHeap () returned 0x4e0000 [0039.543] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x2800) returned 0x5064d8 [0039.544] ReadFile (in: hFile=0x208, lpBuffer=0x5064d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x5064d8*, lpNumberOfBytesRead=0x2d8f034*=0x2800, lpOverlapped=0x0) returned 1 [0039.571] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0039.571] WriteFile (in: hFile=0x208, lpBuffer=0x5064d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x5064d8*, lpNumberOfBytesWritten=0x2d8f034*=0x2800, lpOverlapped=0x0) returned 1 [0039.571] GetProcessHeap () returned 0x4e0000 [0039.571] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x5064d8 | out: hHeap=0x4e0000) returned 1 [0039.571] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0039.572] WriteFile (in: hFile=0x208, lpBuffer=0x4ffe10*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x4ffe10*, lpNumberOfBytesWritten=0x2d8f034*=0x300, lpOverlapped=0x0) returned 1 [0039.573] WriteFile (in: hFile=0x208, lpBuffer=0x2d8ef80*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x2d8ef80*, lpNumberOfBytesWritten=0x2d8f034*=0x80, lpOverlapped=0x0) returned 1 [0039.573] WriteFile (in: hFile=0x208, lpBuffer=0x186230*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x186230*, lpNumberOfBytesWritten=0x2d8f034*=0x4, lpOverlapped=0x0) returned 1 [0039.573] CloseHandle (hObject=0x208) returned 1 [0039.573] GetProcessHeap () returned 0x4e0000 [0039.573] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x400) returned 0x5306d0 [0039.573] wnsprintfW (in: pszDest=0x5306d0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ose.exe_forv_{KNUJ5K}.for") returned 92 [0039.573] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ose.exe" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\ose.exe"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ose.exe_forv_{KNUJ5K}.for" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\ose.exe_forv_{knuj5k}.for")) returned 1 [0039.574] GetProcessHeap () returned 0x4e0000 [0039.574] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x5306d0 | out: hHeap=0x4e0000) returned 1 [0039.574] FindNextFileW (in: hFindFile=0x535b20, lpFindFileData=0x2d8f070 | out: lpFindFileData=0x2d8f070*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xbd900f00, ftCreationTime.dwHighDateTime=0x1cac15b, ftLastAccessTime.dwLowDateTime=0xbd900f00, ftLastAccessTime.dwHighDateTime=0x1cac15b, ftLastWriteTime.dwLowDateTime=0x16854390, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x709768, dwReserved0=0x0, dwReserved1=0x0, cFileName="osetup.dll", cAlternateFileName="")) returned 1 [0039.574] lstrcmpiW (lpString1="osetup.dll", lpString2="Windows") returned -1 [0039.574] lstrcmpiW (lpString1="osetup.dll", lpString2="$Recycle.bin") returned 1 [0039.574] lstrcmpiW (lpString1="osetup.dll", lpString2="System Volume Information") returned -1 [0039.574] lstrcmpiW (lpString1="osetup.dll", lpString2="Program Files") returned -1 [0039.574] lstrcmpiW (lpString1="osetup.dll", lpString2="Program Files (x86)") returned -1 [0039.574] wnsprintfW (in: pszDest=0x5354c0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\osetup.dll") returned 77 [0039.574] StrStrIW (lpFirst="osetup.dll", lpSrch=".for") returned 0x0 [0039.574] lstrcmpW (lpString1="osetup.dll", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0039.574] lstrcmpW (lpString1="osetup.dll", lpString2="taridd") returned -1 [0039.574] StrCmpNW (lpStr1="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\osetup.dll", lpStr2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\3pRMMVYZl7L6YCH05Qf1aBB2Nvhrv3", nChar=122) returned -1 [0039.574] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\osetup.dll" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\osetup.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x208 [0039.575] GetTickCount () returned 0x1144625 [0039.575] GetTickCount () returned 0x1144625 [0039.575] GetTickCount () returned 0x1144625 [0039.575] GetTickCount () returned 0x1144625 [0039.575] CryptEncrypt (in: hKey=0x4ff5a8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d8ef80*, pdwDataLen=0x2d8f030*=0x2c, dwBufLen=0x80 | out: pbData=0x2d8ef80*, pdwDataLen=0x2d8f030*=0x80) returned 1 [0039.575] GetProcessHeap () returned 0x4e0000 [0039.575] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x2800) returned 0x5064d8 [0039.575] ReadFile (in: hFile=0x208, lpBuffer=0x5064d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x5064d8*, lpNumberOfBytesRead=0x2d8f034*=0x2800, lpOverlapped=0x0) returned 1 [0039.577] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0039.577] WriteFile (in: hFile=0x208, lpBuffer=0x5064d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x5064d8*, lpNumberOfBytesWritten=0x2d8f034*=0x2800, lpOverlapped=0x0) returned 1 [0039.578] GetProcessHeap () returned 0x4e0000 [0039.578] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x5064d8 | out: hHeap=0x4e0000) returned 1 [0039.578] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0039.578] WriteFile (in: hFile=0x208, lpBuffer=0x4ffe10*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x4ffe10*, lpNumberOfBytesWritten=0x2d8f034*=0x300, lpOverlapped=0x0) returned 1 [0039.581] WriteFile (in: hFile=0x208, lpBuffer=0x2d8ef80*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x2d8ef80*, lpNumberOfBytesWritten=0x2d8f034*=0x80, lpOverlapped=0x0) returned 1 [0039.581] WriteFile (in: hFile=0x208, lpBuffer=0x186230*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x186230*, lpNumberOfBytesWritten=0x2d8f034*=0x4, lpOverlapped=0x0) returned 1 [0039.581] CloseHandle (hObject=0x208) returned 1 [0039.581] GetProcessHeap () returned 0x4e0000 [0039.581] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x400) returned 0x5306d0 [0039.581] wnsprintfW (in: pszDest=0x5306d0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\osetup.dll_forv_{KNUJ5K}.for") returned 95 [0039.581] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\osetup.dll" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\osetup.dll"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\osetup.dll_forv_{KNUJ5K}.for" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\osetup.dll_forv_{knuj5k}.for")) returned 1 [0039.582] GetProcessHeap () returned 0x4e0000 [0039.582] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x5306d0 | out: hHeap=0x4e0000) returned 1 [0039.582] FindNextFileW (in: hFindFile=0x535b20, lpFindFileData=0x2d8f070 | out: lpFindFileData=0x2d8f070*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x147e5b00, ftCreationTime.dwHighDateTime=0x1cad01b, ftLastAccessTime.dwLowDateTime=0x147e5b00, ftLastAccessTime.dwHighDateTime=0x1cad01b, ftLastWriteTime.dwLowDateTime=0xff654fc0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x228df5c, dwReserved0=0x0, dwReserved1=0x0, cFileName="OWOW32WW.cab", cAlternateFileName="")) returned 1 [0039.582] lstrcmpiW (lpString1="OWOW32WW.cab", lpString2="Windows") returned -1 [0039.582] lstrcmpiW (lpString1="OWOW32WW.cab", lpString2="$Recycle.bin") returned 1 [0039.582] lstrcmpiW (lpString1="OWOW32WW.cab", lpString2="System Volume Information") returned -1 [0039.582] lstrcmpiW (lpString1="OWOW32WW.cab", lpString2="Program Files") returned -1 [0039.582] lstrcmpiW (lpString1="OWOW32WW.cab", lpString2="Program Files (x86)") returned -1 [0039.582] wnsprintfW (in: pszDest=0x5354c0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab") returned 79 [0039.582] StrStrIW (lpFirst="OWOW32WW.cab", lpSrch=".for") returned 0x0 [0039.582] lstrcmpW (lpString1="OWOW32WW.cab", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0039.582] lstrcmpW (lpString1="OWOW32WW.cab", lpString2="taridd") returned -1 [0039.582] StrCmpNW (lpStr1="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab", lpStr2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\3pRMMVYZl7L6YCH05Qf1aBB2Nvhrv3", nChar=122) returned -1 [0039.582] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\owow32ww.cab"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x208 [0039.582] GetTickCount () returned 0x1144635 [0039.582] GetTickCount () returned 0x1144635 [0039.582] GetTickCount () returned 0x1144635 [0039.582] GetTickCount () returned 0x1144635 [0039.583] CryptEncrypt (in: hKey=0x4ff5a8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d8ef80*, pdwDataLen=0x2d8f030*=0x2c, dwBufLen=0x80 | out: pbData=0x2d8ef80*, pdwDataLen=0x2d8f030*=0x80) returned 1 [0039.583] GetProcessHeap () returned 0x4e0000 [0039.583] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x2800) returned 0x5064d8 [0039.583] ReadFile (in: hFile=0x208, lpBuffer=0x5064d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x5064d8*, lpNumberOfBytesRead=0x2d8f034*=0x2800, lpOverlapped=0x0) returned 1 [0039.586] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0039.586] WriteFile (in: hFile=0x208, lpBuffer=0x5064d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x5064d8*, lpNumberOfBytesWritten=0x2d8f034*=0x2800, lpOverlapped=0x0) returned 1 [0039.587] GetProcessHeap () returned 0x4e0000 [0039.587] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x5064d8 | out: hHeap=0x4e0000) returned 1 [0039.587] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0039.587] WriteFile (in: hFile=0x208, lpBuffer=0x4ffe10*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x4ffe10*, lpNumberOfBytesWritten=0x2d8f034*=0x300, lpOverlapped=0x0) returned 1 [0039.589] WriteFile (in: hFile=0x208, lpBuffer=0x2d8ef80*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x2d8ef80*, lpNumberOfBytesWritten=0x2d8f034*=0x80, lpOverlapped=0x0) returned 1 [0039.589] WriteFile (in: hFile=0x208, lpBuffer=0x186230*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x186230*, lpNumberOfBytesWritten=0x2d8f034*=0x4, lpOverlapped=0x0) returned 1 [0039.589] CloseHandle (hObject=0x208) returned 1 [0039.589] GetProcessHeap () returned 0x4e0000 [0039.589] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x400) returned 0x5306d0 [0039.589] wnsprintfW (in: pszDest=0x5306d0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab_forv_{KNUJ5K}.for") returned 97 [0039.589] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\owow32ww.cab"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab_forv_{KNUJ5K}.for" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\owow32ww.cab_forv_{knuj5k}.for")) returned 1 [0039.590] GetProcessHeap () returned 0x4e0000 [0039.590] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x5306d0 | out: hHeap=0x4e0000) returned 1 [0039.590] FindNextFileW (in: hFindFile=0x535b20, lpFindFileData=0x2d8f070 | out: lpFindFileData=0x2d8f070*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xe3a02e00, ftCreationTime.dwHighDateTime=0x1cac5f7, ftLastAccessTime.dwLowDateTime=0xe3a02e00, ftLastAccessTime.dwHighDateTime=0x1cac5f7, ftLastWriteTime.dwLowDateTime=0x17e0dbf0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x165510, dwReserved0=0x0, dwReserved1=0x0, cFileName="PidGenX.dll", cAlternateFileName="")) returned 1 [0039.590] lstrcmpiW (lpString1="PidGenX.dll", lpString2="Windows") returned -1 [0039.590] lstrcmpiW (lpString1="PidGenX.dll", lpString2="$Recycle.bin") returned 1 [0039.590] lstrcmpiW (lpString1="PidGenX.dll", lpString2="System Volume Information") returned -1 [0039.590] lstrcmpiW (lpString1="PidGenX.dll", lpString2="Program Files") returned -1 [0039.590] lstrcmpiW (lpString1="PidGenX.dll", lpString2="Program Files (x86)") returned -1 [0039.590] wnsprintfW (in: pszDest=0x5354c0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\PidGenX.dll") returned 78 [0039.590] StrStrIW (lpFirst="PidGenX.dll", lpSrch=".for") returned 0x0 [0039.590] lstrcmpW (lpString1="PidGenX.dll", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0039.590] lstrcmpW (lpString1="PidGenX.dll", lpString2="taridd") returned -1 [0039.590] StrCmpNW (lpStr1="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\PidGenX.dll", lpStr2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\3pRMMVYZl7L6YCH05Qf1aBB2Nvhrv3", nChar=122) returned -1 [0039.590] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\PidGenX.dll" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\pidgenx.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x208 [0039.591] GetTickCount () returned 0x1144635 [0039.591] GetTickCount () returned 0x1144635 [0039.591] GetTickCount () returned 0x1144635 [0039.591] GetTickCount () returned 0x1144635 [0039.591] CryptEncrypt (in: hKey=0x4ff5a8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d8ef80*, pdwDataLen=0x2d8f030*=0x2c, dwBufLen=0x80 | out: pbData=0x2d8ef80*, pdwDataLen=0x2d8f030*=0x80) returned 1 [0039.591] GetProcessHeap () returned 0x4e0000 [0039.591] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x2800) returned 0x5064d8 [0039.591] ReadFile (in: hFile=0x208, lpBuffer=0x5064d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x5064d8*, lpNumberOfBytesRead=0x2d8f034*=0x2800, lpOverlapped=0x0) returned 1 [0039.599] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0039.603] WriteFile (in: hFile=0x208, lpBuffer=0x5064d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x5064d8*, lpNumberOfBytesWritten=0x2d8f034*=0x2800, lpOverlapped=0x0) returned 1 [0039.606] GetProcessHeap () returned 0x4e0000 [0039.606] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x5064d8 | out: hHeap=0x4e0000) returned 1 [0039.607] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0039.612] WriteFile (in: hFile=0x208, lpBuffer=0x4ffe10*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x4ffe10*, lpNumberOfBytesWritten=0x2d8f034*=0x300, lpOverlapped=0x0) returned 1 [0039.898] WriteFile (in: hFile=0x208, lpBuffer=0x2d8ef80*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x2d8ef80*, lpNumberOfBytesWritten=0x2d8f034*=0x80, lpOverlapped=0x0) returned 1 [0039.899] WriteFile (in: hFile=0x208, lpBuffer=0x186230*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x186230*, lpNumberOfBytesWritten=0x2d8f034*=0x4, lpOverlapped=0x0) returned 1 [0039.901] CloseHandle (hObject=0x208) returned 1 [0039.905] GetProcessHeap () returned 0x4e0000 [0039.905] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x400) returned 0x5306d0 [0039.905] wnsprintfW (in: pszDest=0x5306d0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\PidGenX.dll_forv_{KNUJ5K}.for") returned 96 [0039.905] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\PidGenX.dll" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\pidgenx.dll"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\PidGenX.dll_forv_{KNUJ5K}.for" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\pidgenx.dll_forv_{knuj5k}.for")) returned 1 [0039.905] GetProcessHeap () returned 0x4e0000 [0039.905] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x5306d0 | out: hHeap=0x4e0000) returned 1 [0039.905] FindNextFileW (in: hFindFile=0x535b20, lpFindFileData=0x2d8f070 | out: lpFindFileData=0x2d8f070*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xe06a9500, ftCreationTime.dwHighDateTime=0x1cac7e5, ftLastAccessTime.dwLowDateTime=0xe06a9500, ftLastAccessTime.dwHighDateTime=0x1cac7e5, ftLastWriteTime.dwLowDateTime=0x17c42c30, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0xaec3a, dwReserved0=0x0, dwReserved1=0x0, cFileName="pkeyconfig-office.xrm-ms", cAlternateFileName="PKEYCO~1.XRM")) returned 1 [0039.905] lstrcmpiW (lpString1="pkeyconfig-office.xrm-ms", lpString2="Windows") returned -1 [0039.905] lstrcmpiW (lpString1="pkeyconfig-office.xrm-ms", lpString2="$Recycle.bin") returned 1 [0039.905] lstrcmpiW (lpString1="pkeyconfig-office.xrm-ms", lpString2="System Volume Information") returned -1 [0039.905] lstrcmpiW (lpString1="pkeyconfig-office.xrm-ms", lpString2="Program Files") returned -1 [0039.905] lstrcmpiW (lpString1="pkeyconfig-office.xrm-ms", lpString2="Program Files (x86)") returned -1 [0039.905] wnsprintfW (in: pszDest=0x5354c0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms") returned 91 [0039.905] StrStrIW (lpFirst="pkeyconfig-office.xrm-ms", lpSrch=".for") returned 0x0 [0039.906] lstrcmpW (lpString1="pkeyconfig-office.xrm-ms", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0039.906] lstrcmpW (lpString1="pkeyconfig-office.xrm-ms", lpString2="taridd") returned -1 [0039.906] StrCmpNW (lpStr1="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms", lpStr2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\3pRMMVYZl7L6YCH05Qf1aBB2Nvhrv3", nChar=122) returned -1 [0039.906] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\pkeyconfig-office.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x208 [0039.906] GetTickCount () returned 0x114477c [0039.906] GetTickCount () returned 0x114477c [0039.906] GetTickCount () returned 0x114477c [0039.906] GetTickCount () returned 0x114477c [0039.906] CryptEncrypt (in: hKey=0x4ff5a8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d8ef80*, pdwDataLen=0x2d8f030*=0x2c, dwBufLen=0x80 | out: pbData=0x2d8ef80*, pdwDataLen=0x2d8f030*=0x80) returned 1 [0039.906] GetProcessHeap () returned 0x4e0000 [0039.906] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x2800) returned 0x5064d8 [0039.906] ReadFile (in: hFile=0x208, lpBuffer=0x5064d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x5064d8*, lpNumberOfBytesRead=0x2d8f034*=0x2800, lpOverlapped=0x0) returned 1 [0039.908] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0039.908] WriteFile (in: hFile=0x208, lpBuffer=0x5064d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x5064d8*, lpNumberOfBytesWritten=0x2d8f034*=0x2800, lpOverlapped=0x0) returned 1 [0039.908] GetProcessHeap () returned 0x4e0000 [0039.908] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x5064d8 | out: hHeap=0x4e0000) returned 1 [0039.908] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0039.908] WriteFile (in: hFile=0x208, lpBuffer=0x4ffe10*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x4ffe10*, lpNumberOfBytesWritten=0x2d8f034*=0x300, lpOverlapped=0x0) returned 1 [0039.911] WriteFile (in: hFile=0x208, lpBuffer=0x2d8ef80*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x2d8ef80*, lpNumberOfBytesWritten=0x2d8f034*=0x80, lpOverlapped=0x0) returned 1 [0039.911] WriteFile (in: hFile=0x208, lpBuffer=0x186230*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x186230*, lpNumberOfBytesWritten=0x2d8f034*=0x4, lpOverlapped=0x0) returned 1 [0039.911] CloseHandle (hObject=0x208) returned 1 [0039.911] GetProcessHeap () returned 0x4e0000 [0039.911] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x400) returned 0x5306d0 [0039.911] wnsprintfW (in: pszDest=0x5306d0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms_forv_{KNUJ5K}.for") returned 109 [0039.911] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\pkeyconfig-office.xrm-ms"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms_forv_{KNUJ5K}.for" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\pkeyconfig-office.xrm-ms_forv_{knuj5k}.for")) returned 1 [0039.912] GetProcessHeap () returned 0x4e0000 [0039.912] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x5306d0 | out: hHeap=0x4e0000) returned 1 [0039.912] FindNextFileW (in: hFindFile=0x535b20, lpFindFileData=0x2d8f070 | out: lpFindFileData=0x2d8f070*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xbb2e2000, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0xbb2e2000, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0x170fe40, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x1a41c00, dwReserved0=0x0, dwReserved1=0x0, cFileName="ProPlusrWW.msi", cAlternateFileName="PROPLU~1.MSI")) returned 1 [0039.912] lstrcmpiW (lpString1="ProPlusrWW.msi", lpString2="Windows") returned -1 [0039.912] lstrcmpiW (lpString1="ProPlusrWW.msi", lpString2="$Recycle.bin") returned 1 [0039.912] lstrcmpiW (lpString1="ProPlusrWW.msi", lpString2="System Volume Information") returned -1 [0039.912] lstrcmpiW (lpString1="ProPlusrWW.msi", lpString2="Program Files") returned 1 [0039.912] lstrcmpiW (lpString1="ProPlusrWW.msi", lpString2="Program Files (x86)") returned 1 [0039.912] wnsprintfW (in: pszDest=0x5354c0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.msi") returned 81 [0039.912] StrStrIW (lpFirst="ProPlusrWW.msi", lpSrch=".for") returned 0x0 [0039.912] lstrcmpW (lpString1="ProPlusrWW.msi", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0039.912] lstrcmpW (lpString1="ProPlusrWW.msi", lpString2="taridd") returned -1 [0039.912] StrCmpNW (lpStr1="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.msi", lpStr2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\3pRMMVYZl7L6YCH05Qf1aBB2Nvhrv3", nChar=122) returned -1 [0039.912] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.msi" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\proplusrww.msi"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x208 [0039.916] GetTickCount () returned 0x114477c [0039.916] GetTickCount () returned 0x114477c [0039.916] GetTickCount () returned 0x114477c [0039.916] GetTickCount () returned 0x114477c [0039.916] CryptEncrypt (in: hKey=0x4ff5a8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d8ef80*, pdwDataLen=0x2d8f030*=0x2c, dwBufLen=0x80 | out: pbData=0x2d8ef80*, pdwDataLen=0x2d8f030*=0x80) returned 1 [0039.916] GetProcessHeap () returned 0x4e0000 [0039.916] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x2800) returned 0x5064d8 [0039.916] ReadFile (in: hFile=0x208, lpBuffer=0x5064d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x5064d8*, lpNumberOfBytesRead=0x2d8f034*=0x2800, lpOverlapped=0x0) returned 1 [0039.919] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0039.919] WriteFile (in: hFile=0x208, lpBuffer=0x5064d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x5064d8*, lpNumberOfBytesWritten=0x2d8f034*=0x2800, lpOverlapped=0x0) returned 1 [0039.920] GetProcessHeap () returned 0x4e0000 [0039.920] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x5064d8 | out: hHeap=0x4e0000) returned 1 [0039.920] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0039.920] WriteFile (in: hFile=0x208, lpBuffer=0x4ffe10*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x4ffe10*, lpNumberOfBytesWritten=0x2d8f034*=0x300, lpOverlapped=0x0) returned 1 [0039.932] WriteFile (in: hFile=0x208, lpBuffer=0x2d8ef80*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x2d8ef80*, lpNumberOfBytesWritten=0x2d8f034*=0x80, lpOverlapped=0x0) returned 1 [0039.932] WriteFile (in: hFile=0x208, lpBuffer=0x186230*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x186230*, lpNumberOfBytesWritten=0x2d8f034*=0x4, lpOverlapped=0x0) returned 1 [0039.932] CloseHandle (hObject=0x208) returned 1 [0039.932] GetProcessHeap () returned 0x4e0000 [0039.932] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x400) returned 0x5306d0 [0039.932] wnsprintfW (in: pszDest=0x5306d0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.msi_forv_{KNUJ5K}.for") returned 99 [0039.932] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.msi" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\proplusrww.msi"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.msi_forv_{KNUJ5K}.for" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\proplusrww.msi_forv_{knuj5k}.for")) returned 1 [0039.933] GetProcessHeap () returned 0x4e0000 [0039.933] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x5306d0 | out: hHeap=0x4e0000) returned 1 [0039.933] FindNextFileW (in: hFindFile=0x535b20, lpFindFileData=0x2d8f070 | out: lpFindFileData=0x2d8f070*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xbd907a00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0xbd907a00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0x170fe40, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x41d4, dwReserved0=0x0, dwReserved1=0x0, cFileName="ProPlusrWW.xml", cAlternateFileName="PROPLU~1.XML")) returned 1 [0039.933] lstrcmpiW (lpString1="ProPlusrWW.xml", lpString2="Windows") returned -1 [0039.933] lstrcmpiW (lpString1="ProPlusrWW.xml", lpString2="$Recycle.bin") returned 1 [0039.934] lstrcmpiW (lpString1="ProPlusrWW.xml", lpString2="System Volume Information") returned -1 [0039.934] lstrcmpiW (lpString1="ProPlusrWW.xml", lpString2="Program Files") returned 1 [0039.934] lstrcmpiW (lpString1="ProPlusrWW.xml", lpString2="Program Files (x86)") returned 1 [0039.934] wnsprintfW (in: pszDest=0x5354c0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.xml") returned 81 [0039.934] StrStrIW (lpFirst="ProPlusrWW.xml", lpSrch=".for") returned 0x0 [0039.934] lstrcmpW (lpString1="ProPlusrWW.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0039.934] lstrcmpW (lpString1="ProPlusrWW.xml", lpString2="taridd") returned -1 [0039.934] StrCmpNW (lpStr1="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.xml", lpStr2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\3pRMMVYZl7L6YCH05Qf1aBB2Nvhrv3", nChar=122) returned -1 [0039.934] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.xml" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\proplusrww.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x208 [0039.934] GetTickCount () returned 0x114478c [0039.934] GetTickCount () returned 0x114478c [0039.934] GetTickCount () returned 0x114478c [0039.934] GetTickCount () returned 0x114478c [0039.934] CryptEncrypt (in: hKey=0x4ff5a8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d8ef80*, pdwDataLen=0x2d8f030*=0x2c, dwBufLen=0x80 | out: pbData=0x2d8ef80*, pdwDataLen=0x2d8f030*=0x80) returned 1 [0039.934] GetProcessHeap () returned 0x4e0000 [0039.934] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x2800) returned 0x5064d8 [0039.934] ReadFile (in: hFile=0x208, lpBuffer=0x5064d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x5064d8*, lpNumberOfBytesRead=0x2d8f034*=0x2800, lpOverlapped=0x0) returned 1 [0039.936] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0039.936] WriteFile (in: hFile=0x208, lpBuffer=0x5064d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x5064d8*, lpNumberOfBytesWritten=0x2d8f034*=0x2800, lpOverlapped=0x0) returned 1 [0039.937] GetProcessHeap () returned 0x4e0000 [0039.937] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x5064d8 | out: hHeap=0x4e0000) returned 1 [0039.937] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0039.937] WriteFile (in: hFile=0x208, lpBuffer=0x4ffe10*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x4ffe10*, lpNumberOfBytesWritten=0x2d8f034*=0x300, lpOverlapped=0x0) returned 1 [0039.937] WriteFile (in: hFile=0x208, lpBuffer=0x2d8ef80*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x2d8ef80*, lpNumberOfBytesWritten=0x2d8f034*=0x80, lpOverlapped=0x0) returned 1 [0039.937] WriteFile (in: hFile=0x208, lpBuffer=0x186230*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x186230*, lpNumberOfBytesWritten=0x2d8f034*=0x4, lpOverlapped=0x0) returned 1 [0039.937] CloseHandle (hObject=0x208) returned 1 [0039.937] GetProcessHeap () returned 0x4e0000 [0039.938] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x400) returned 0x5306d0 [0039.938] wnsprintfW (in: pszDest=0x5306d0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.xml_forv_{KNUJ5K}.for") returned 99 [0039.938] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.xml" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\proplusrww.xml"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.xml_forv_{KNUJ5K}.for" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\proplusrww.xml_forv_{knuj5k}.for")) returned 1 [0039.938] GetProcessHeap () returned 0x4e0000 [0039.938] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x5306d0 | out: hHeap=0x4e0000) returned 1 [0039.938] FindNextFileW (in: hFindFile=0x535b20, lpFindFileData=0x2d8f070 | out: lpFindFileData=0x2d8f070*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x262b2700, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x262b2700, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0x1ffd0c0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0xa97cbdb, dwReserved0=0x0, dwReserved1=0x0, cFileName="ProPrWW.cab", cAlternateFileName="")) returned 1 [0039.938] lstrcmpiW (lpString1="ProPrWW.cab", lpString2="Windows") returned -1 [0039.938] lstrcmpiW (lpString1="ProPrWW.cab", lpString2="$Recycle.bin") returned 1 [0039.938] lstrcmpiW (lpString1="ProPrWW.cab", lpString2="System Volume Information") returned -1 [0039.938] lstrcmpiW (lpString1="ProPrWW.cab", lpString2="Program Files") returned 1 [0039.938] lstrcmpiW (lpString1="ProPrWW.cab", lpString2="Program Files (x86)") returned 1 [0039.938] wnsprintfW (in: pszDest=0x5354c0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPrWW.cab") returned 78 [0039.938] StrStrIW (lpFirst="ProPrWW.cab", lpSrch=".for") returned 0x0 [0039.938] lstrcmpW (lpString1="ProPrWW.cab", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0039.938] lstrcmpW (lpString1="ProPrWW.cab", lpString2="taridd") returned -1 [0039.938] StrCmpNW (lpStr1="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPrWW.cab", lpStr2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\3pRMMVYZl7L6YCH05Qf1aBB2Nvhrv3", nChar=122) returned -1 [0039.938] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPrWW.cab" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\proprww.cab"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x208 [0039.940] GetTickCount () returned 0x114479b [0039.940] GetTickCount () returned 0x114479b [0039.940] GetTickCount () returned 0x114479b [0039.940] GetTickCount () returned 0x114479b [0039.940] CryptEncrypt (in: hKey=0x4ff5a8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d8ef80*, pdwDataLen=0x2d8f030*=0x2c, dwBufLen=0x80 | out: pbData=0x2d8ef80*, pdwDataLen=0x2d8f030*=0x80) returned 1 [0039.940] GetProcessHeap () returned 0x4e0000 [0039.940] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x2800) returned 0x5064d8 [0039.940] ReadFile (in: hFile=0x208, lpBuffer=0x5064d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x5064d8*, lpNumberOfBytesRead=0x2d8f034*=0x2800, lpOverlapped=0x0) returned 1 [0039.958] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0039.958] WriteFile (in: hFile=0x208, lpBuffer=0x5064d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x5064d8*, lpNumberOfBytesWritten=0x2d8f034*=0x2800, lpOverlapped=0x0) returned 1 [0039.958] GetProcessHeap () returned 0x4e0000 [0039.958] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x5064d8 | out: hHeap=0x4e0000) returned 1 [0039.958] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0039.958] WriteFile (in: hFile=0x208, lpBuffer=0x4ffe10*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x4ffe10*, lpNumberOfBytesWritten=0x2d8f034*=0x300, lpOverlapped=0x0) returned 1 [0039.960] WriteFile (in: hFile=0x208, lpBuffer=0x2d8ef80*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x2d8ef80*, lpNumberOfBytesWritten=0x2d8f034*=0x80, lpOverlapped=0x0) returned 1 [0039.960] WriteFile (in: hFile=0x208, lpBuffer=0x186230*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x186230*, lpNumberOfBytesWritten=0x2d8f034*=0x4, lpOverlapped=0x0) returned 1 [0039.960] CloseHandle (hObject=0x208) returned 1 [0039.960] GetProcessHeap () returned 0x4e0000 [0039.960] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x400) returned 0x5306d0 [0039.960] wnsprintfW (in: pszDest=0x5306d0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPrWW.cab_forv_{KNUJ5K}.for") returned 96 [0039.960] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPrWW.cab" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\proprww.cab"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPrWW.cab_forv_{KNUJ5K}.for" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\proprww.cab_forv_{knuj5k}.for")) returned 1 [0039.961] GetProcessHeap () returned 0x4e0000 [0039.961] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x5306d0 | out: hHeap=0x4e0000) returned 1 [0039.961] FindNextFileW (in: hFindFile=0x535b20, lpFindFileData=0x2d8f070 | out: lpFindFileData=0x2d8f070*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xbf14900, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0xbf14900, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xc96ff40, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0xd49ee31, dwReserved0=0x0, dwReserved1=0x0, cFileName="ProPrWW2.cab", cAlternateFileName="")) returned 1 [0039.961] lstrcmpiW (lpString1="ProPrWW2.cab", lpString2="Windows") returned -1 [0039.961] lstrcmpiW (lpString1="ProPrWW2.cab", lpString2="$Recycle.bin") returned 1 [0039.961] lstrcmpiW (lpString1="ProPrWW2.cab", lpString2="System Volume Information") returned -1 [0039.961] lstrcmpiW (lpString1="ProPrWW2.cab", lpString2="Program Files") returned 1 [0039.961] lstrcmpiW (lpString1="ProPrWW2.cab", lpString2="Program Files (x86)") returned 1 [0039.961] wnsprintfW (in: pszDest=0x5354c0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPrWW2.cab") returned 79 [0039.961] StrStrIW (lpFirst="ProPrWW2.cab", lpSrch=".for") returned 0x0 [0039.961] lstrcmpW (lpString1="ProPrWW2.cab", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0039.961] lstrcmpW (lpString1="ProPrWW2.cab", lpString2="taridd") returned -1 [0039.961] StrCmpNW (lpStr1="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPrWW2.cab", lpStr2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\3pRMMVYZl7L6YCH05Qf1aBB2Nvhrv3", nChar=122) returned -1 [0039.961] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPrWW2.cab" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\proprww2.cab"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x208 [0039.962] GetTickCount () returned 0x11447ab [0039.962] GetTickCount () returned 0x11447ab [0039.962] GetTickCount () returned 0x11447ab [0039.962] GetTickCount () returned 0x11447ab [0039.962] CryptEncrypt (in: hKey=0x4ff5a8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d8ef80*, pdwDataLen=0x2d8f030*=0x2c, dwBufLen=0x80 | out: pbData=0x2d8ef80*, pdwDataLen=0x2d8f030*=0x80) returned 1 [0039.963] GetProcessHeap () returned 0x4e0000 [0039.963] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x2800) returned 0x5064d8 [0039.963] ReadFile (in: hFile=0x208, lpBuffer=0x5064d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x5064d8*, lpNumberOfBytesRead=0x2d8f034*=0x2800, lpOverlapped=0x0) returned 1 [0039.968] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0039.968] WriteFile (in: hFile=0x208, lpBuffer=0x5064d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x5064d8*, lpNumberOfBytesWritten=0x2d8f034*=0x2800, lpOverlapped=0x0) returned 1 [0039.968] GetProcessHeap () returned 0x4e0000 [0039.968] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x5064d8 | out: hHeap=0x4e0000) returned 1 [0039.968] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0039.968] WriteFile (in: hFile=0x208, lpBuffer=0x4ffe10*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x4ffe10*, lpNumberOfBytesWritten=0x2d8f034*=0x300, lpOverlapped=0x0) returned 1 [0039.970] WriteFile (in: hFile=0x208, lpBuffer=0x2d8ef80*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x2d8ef80*, lpNumberOfBytesWritten=0x2d8f034*=0x80, lpOverlapped=0x0) returned 1 [0039.970] WriteFile (in: hFile=0x208, lpBuffer=0x186230*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x186230*, lpNumberOfBytesWritten=0x2d8f034*=0x4, lpOverlapped=0x0) returned 1 [0039.970] CloseHandle (hObject=0x208) returned 1 [0039.971] GetProcessHeap () returned 0x4e0000 [0039.971] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x400) returned 0x5306d0 [0039.971] wnsprintfW (in: pszDest=0x5306d0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPrWW2.cab_forv_{KNUJ5K}.for") returned 97 [0039.971] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPrWW2.cab" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\proprww2.cab"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPrWW2.cab_forv_{KNUJ5K}.for" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\proprww2.cab_forv_{knuj5k}.for")) returned 1 [0039.971] GetProcessHeap () returned 0x4e0000 [0039.971] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x5306d0 | out: hHeap=0x4e0000) returned 1 [0039.971] FindNextFileW (in: hFindFile=0x535b20, lpFindFileData=0x2d8f070 | out: lpFindFileData=0x2d8f070*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xbec13c00, ftCreationTime.dwHighDateTime=0x1cac15b, ftLastAccessTime.dwLowDateTime=0xbec13c00, ftLastAccessTime.dwHighDateTime=0x1cac15b, ftLastWriteTime.dwLowDateTime=0x1682d290, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x150578, dwReserved0=0x0, dwReserved1=0x0, cFileName="setup.exe", cAlternateFileName="")) returned 1 [0039.971] lstrcmpiW (lpString1="setup.exe", lpString2="Windows") returned -1 [0039.971] lstrcmpiW (lpString1="setup.exe", lpString2="$Recycle.bin") returned 1 [0039.971] lstrcmpiW (lpString1="setup.exe", lpString2="System Volume Information") returned -1 [0039.971] lstrcmpiW (lpString1="setup.exe", lpString2="Program Files") returned 1 [0039.971] lstrcmpiW (lpString1="setup.exe", lpString2="Program Files (x86)") returned 1 [0039.971] wnsprintfW (in: pszDest=0x5354c0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\setup.exe") returned 76 [0039.971] StrStrIW (lpFirst="setup.exe", lpSrch=".for") returned 0x0 [0039.971] lstrcmpW (lpString1="setup.exe", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0039.971] lstrcmpW (lpString1="setup.exe", lpString2="taridd") returned -1 [0039.971] StrCmpNW (lpStr1="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\setup.exe", lpStr2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\3pRMMVYZl7L6YCH05Qf1aBB2Nvhrv3", nChar=122) returned -1 [0039.972] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\setup.exe" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\setup.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x208 [0039.972] GetTickCount () returned 0x11447bb [0039.972] GetTickCount () returned 0x11447bb [0039.972] GetTickCount () returned 0x11447bb [0039.972] GetTickCount () returned 0x11447bb [0039.972] CryptEncrypt (in: hKey=0x4ff5a8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d8ef80*, pdwDataLen=0x2d8f030*=0x2c, dwBufLen=0x80 | out: pbData=0x2d8ef80*, pdwDataLen=0x2d8f030*=0x80) returned 1 [0039.972] GetProcessHeap () returned 0x4e0000 [0039.972] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x2800) returned 0x5064d8 [0039.972] ReadFile (in: hFile=0x208, lpBuffer=0x5064d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x5064d8*, lpNumberOfBytesRead=0x2d8f034*=0x2800, lpOverlapped=0x0) returned 1 [0039.980] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0040.100] WriteFile (in: hFile=0x208, lpBuffer=0x5064d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x5064d8*, lpNumberOfBytesWritten=0x2d8f034*=0x2800, lpOverlapped=0x0) returned 1 [0040.105] GetProcessHeap () returned 0x4e0000 [0040.108] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x5064d8 | out: hHeap=0x4e0000) returned 1 [0040.108] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0040.111] WriteFile (in: hFile=0x208, lpBuffer=0x4ffe10*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x4ffe10*, lpNumberOfBytesWritten=0x2d8f034*=0x300, lpOverlapped=0x0) returned 1 [0040.140] WriteFile (in: hFile=0x208, lpBuffer=0x2d8ef80*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x2d8ef80*, lpNumberOfBytesWritten=0x2d8f034*=0x80, lpOverlapped=0x0) returned 1 [0040.143] WriteFile (in: hFile=0x208, lpBuffer=0x186230*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x186230*, lpNumberOfBytesWritten=0x2d8f034*=0x4, lpOverlapped=0x0) returned 1 [0040.145] CloseHandle (hObject=0x208) returned 1 [0040.150] GetProcessHeap () returned 0x4e0000 [0040.150] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x400) returned 0x5306d0 [0040.158] wnsprintfW (in: pszDest=0x5306d0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\setup.exe_forv_{KNUJ5K}.for") returned 94 [0040.159] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\setup.exe" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\setup.exe"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\setup.exe_forv_{KNUJ5K}.for" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\setup.exe_forv_{knuj5k}.for")) returned 1 [0040.173] GetProcessHeap () returned 0x4e0000 [0040.173] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x5306d0 | out: hHeap=0x4e0000) returned 1 [0040.174] FindNextFileW (in: hFindFile=0x535b20, lpFindFileData=0x2d8f070 | out: lpFindFileData=0x2d8f070*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xbd907a00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0xbd907a00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0x18177c50, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x7976, dwReserved0=0x0, dwReserved1=0x0, cFileName="Setup.xml", cAlternateFileName="")) returned 1 [0040.176] lstrcmpiW (lpString1="Setup.xml", lpString2="Windows") returned -1 [0040.177] lstrcmpiW (lpString1="Setup.xml", lpString2="$Recycle.bin") returned 1 [0040.178] lstrcmpiW (lpString1="Setup.xml", lpString2="System Volume Information") returned -1 [0040.181] lstrcmpiW (lpString1="Setup.xml", lpString2="Program Files") returned 1 [0040.184] lstrcmpiW (lpString1="Setup.xml", lpString2="Program Files (x86)") returned 1 [0040.187] wnsprintfW (in: pszDest=0x5354c0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Setup.xml") returned 76 [0040.187] StrStrIW (lpFirst="Setup.xml", lpSrch=".for") returned 0x0 [0040.188] lstrcmpW (lpString1="Setup.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0040.189] lstrcmpW (lpString1="Setup.xml", lpString2="taridd") returned -1 [0040.190] StrCmpNW (lpStr1="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Setup.xml", lpStr2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\3pRMMVYZl7L6YCH05Qf1aBB2Nvhrv3", nChar=122) returned -1 [0040.191] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x208 [0040.197] GetTickCount () returned 0x1144895 [0040.197] GetTickCount () returned 0x1144895 [0040.198] GetTickCount () returned 0x1144895 [0040.199] GetTickCount () returned 0x1144895 [0040.200] CryptEncrypt (in: hKey=0x4ff5a8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d8ef80*, pdwDataLen=0x2d8f030*=0x2c, dwBufLen=0x80 | out: pbData=0x2d8ef80*, pdwDataLen=0x2d8f030*=0x80) returned 1 [0040.204] GetProcessHeap () returned 0x4e0000 [0040.205] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x2800) returned 0x5064d8 [0040.206] ReadFile (in: hFile=0x208, lpBuffer=0x5064d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x5064d8*, lpNumberOfBytesRead=0x2d8f034*=0x2800, lpOverlapped=0x0) returned 1 [0040.235] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0040.237] WriteFile (in: hFile=0x208, lpBuffer=0x5064d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x5064d8*, lpNumberOfBytesWritten=0x2d8f034*=0x2800, lpOverlapped=0x0) returned 1 [0040.242] GetProcessHeap () returned 0x4e0000 [0040.242] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x5064d8 | out: hHeap=0x4e0000) returned 1 [0040.243] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0040.246] WriteFile (in: hFile=0x208, lpBuffer=0x4ffe10*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x4ffe10*, lpNumberOfBytesWritten=0x2d8f034*=0x300, lpOverlapped=0x0) returned 1 [0040.253] WriteFile (in: hFile=0x208, lpBuffer=0x2d8ef80*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x2d8ef80*, lpNumberOfBytesWritten=0x2d8f034*=0x80, lpOverlapped=0x0) returned 1 [0040.255] WriteFile (in: hFile=0x208, lpBuffer=0x186230*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x186230*, lpNumberOfBytesWritten=0x2d8f034*=0x4, lpOverlapped=0x0) returned 1 [0040.256] CloseHandle (hObject=0x208) returned 1 [0040.262] GetProcessHeap () returned 0x4e0000 [0040.262] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x400) returned 0x5306d0 [0040.263] wnsprintfW (in: pszDest=0x5306d0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Setup.xml_forv_{KNUJ5K}.for") returned 94 [0040.270] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\setup.xml"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Setup.xml_forv_{KNUJ5K}.for" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\setup.xml_forv_{knuj5k}.for")) returned 1 [0040.285] GetProcessHeap () returned 0x4e0000 [0040.285] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x5306d0 | out: hHeap=0x4e0000) returned 1 [0040.285] FindNextFileW (in: hFindFile=0x535b20, lpFindFileData=0x2d8f070 | out: lpFindFileData=0x2d8f070*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xbd907a00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0xbd907a00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0x18177c50, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x7976, dwReserved0=0x0, dwReserved1=0x0, cFileName="Setup.xml", cAlternateFileName="")) returned 0 [0040.287] FindClose (in: hFindFile=0x535b20 | out: hFindFile=0x535b20) returned 1 [0040.289] wnsprintfW (in: pszDest=0x5354c0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 98 [0040.290] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x150 [0040.309] WriteFile (in: hFile=0x150, lpBuffer=0x186440*, nNumberOfBytesToWrite=0x2b0, lpNumberOfBytesWritten=0x2d8f03c, lpOverlapped=0x0 | out: lpBuffer=0x186440*, lpNumberOfBytesWritten=0x2d8f03c*=0x2b0, lpOverlapped=0x0) returned 1 [0040.314] CloseHandle (hObject=0x150) returned 1 [0040.315] GetProcessHeap () returned 0x4e0000 [0040.315] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x5354c0 | out: hHeap=0x4e0000) returned 1 [0040.315] FindNextFileW (in: hFindFile=0x535ae0, lpFindFileData=0x2d8f2f8 | out: lpFindFileData=0x2d8f2f8*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xa5cd3a40, ftCreationTime.dwHighDateTime=0x1d305f1, ftLastAccessTime.dwLowDateTime=0xa8c22f80, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xa8c22f80, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="{91140000-003B-0000-1000-0000000FF1CE}-C", cAlternateFileName="{91140~3")) returned 1 [0040.315] lstrcmpiW (lpString1="{91140000-003B-0000-1000-0000000FF1CE}-C", lpString2="Windows") returned -1 [0040.315] lstrcmpiW (lpString1="{91140000-003B-0000-1000-0000000FF1CE}-C", lpString2="$Recycle.bin") returned 1 [0040.315] lstrcmpiW (lpString1="{91140000-003B-0000-1000-0000000FF1CE}-C", lpString2="System Volume Information") returned -1 [0040.315] lstrcmpiW (lpString1="{91140000-003B-0000-1000-0000000FF1CE}-C", lpString2="Program Files") returned -1 [0040.315] lstrcmpiW (lpString1="{91140000-003B-0000-1000-0000000FF1CE}-C", lpString2="Program Files (x86)") returned -1 [0040.315] wnsprintfW (in: pszDest=0x542af8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C") returned 66 [0040.315] lstrcmpW (lpString1="{91140000-003B-0000-1000-0000000FF1CE}-C", lpString2=".") returned 1 [0040.315] lstrcmpW (lpString1="{91140000-003B-0000-1000-0000000FF1CE}-C", lpString2="..") returned 1 [0040.315] lstrcmpW (lpString1="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0040.315] GetProcessHeap () returned 0x4e0000 [0040.315] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x400) returned 0x5354c0 [0040.315] wnsprintfW (in: pszDest=0x5354c0, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\*") returned 68 [0040.315] FindFirstFileW (in: lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\*", lpFindFileData=0x2d8f070 | out: lpFindFileData=0x2d8f070*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xa5cd3a40, ftCreationTime.dwHighDateTime=0x1d305f1, ftLastAccessTime.dwLowDateTime=0xa8c22f80, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xa8c22f80, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x535b20 [0040.331] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0040.331] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0040.331] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0040.332] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0040.332] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0040.332] wnsprintfW (in: pszDest=0x5354c0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\.") returned 68 [0040.332] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0040.332] StrStrIW (lpFirst=".", lpSrch=".for") returned 0x0 [0040.332] lstrcmpW (lpString1=".", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned -1 [0040.332] lstrcmpW (lpString1=".", lpString2="taridd") returned -1 [0040.332] StrCmpNW (lpStr1="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\.", lpStr2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\3pRMMVYZl7L6YCH05Qf1aBB2Nvhrv3", nChar=122) returned -1 [0040.332] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\." (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0040.332] FindNextFileW (in: hFindFile=0x535b20, lpFindFileData=0x2d8f070 | out: lpFindFileData=0x2d8f070*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xa5cd3a40, ftCreationTime.dwHighDateTime=0x1d305f1, ftLastAccessTime.dwLowDateTime=0xa8c22f80, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xa8c22f80, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0040.332] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0040.332] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0040.332] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0040.332] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0040.332] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0040.332] wnsprintfW (in: pszDest=0x5354c0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\..") returned 69 [0040.332] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0040.332] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0040.332] StrStrIW (lpFirst="..", lpSrch=".for") returned 0x0 [0040.332] lstrcmpW (lpString1="..", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned -1 [0040.332] lstrcmpW (lpString1="..", lpString2="taridd") returned -1 [0040.332] StrCmpNW (lpStr1="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\..", lpStr2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\3pRMMVYZl7L6YCH05Qf1aBB2Nvhrv3", nChar=122) returned -1 [0040.332] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\.." (normalized: "c:\\msocache\\all users"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0040.332] FindNextFileW (in: hFindFile=0x535b20, lpFindFileData=0x2d8f070 | out: lpFindFileData=0x2d8f070*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x87078450, ftCreationTime.dwHighDateTime=0x1cb147f, ftLastAccessTime.dwLowDateTime=0x87078450, ftLastAccessTime.dwHighDateTime=0x1cb147f, ftLastWriteTime.dwLowDateTime=0xa5d1e590, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x1e6600, dwReserved0=0x0, dwReserved1=0x0, cFileName="Office32WW.msi", cAlternateFileName="OFFICE~1.MSI")) returned 1 [0040.332] lstrcmpiW (lpString1="Office32WW.msi", lpString2="Windows") returned -1 [0040.332] lstrcmpiW (lpString1="Office32WW.msi", lpString2="$Recycle.bin") returned 1 [0040.332] lstrcmpiW (lpString1="Office32WW.msi", lpString2="System Volume Information") returned -1 [0040.332] lstrcmpiW (lpString1="Office32WW.msi", lpString2="Program Files") returned -1 [0040.333] lstrcmpiW (lpString1="Office32WW.msi", lpString2="Program Files (x86)") returned -1 [0040.333] wnsprintfW (in: pszDest=0x5354c0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.msi") returned 81 [0040.333] StrStrIW (lpFirst="Office32WW.msi", lpSrch=".for") returned 0x0 [0040.333] lstrcmpW (lpString1="Office32WW.msi", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0040.333] lstrcmpW (lpString1="Office32WW.msi", lpString2="taridd") returned -1 [0040.333] StrCmpNW (lpStr1="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.msi", lpStr2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\3pRMMVYZl7L6YCH05Qf1aBB2Nvhrv3", nChar=122) returned -1 [0040.333] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.msi" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\office32ww.msi"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x208 [0040.334] GetTickCount () returned 0x1144921 [0040.334] GetTickCount () returned 0x1144921 [0040.334] GetTickCount () returned 0x1144921 [0040.334] GetTickCount () returned 0x1144921 [0040.334] CryptEncrypt (in: hKey=0x4ff5a8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d8ef80*, pdwDataLen=0x2d8f030*=0x2c, dwBufLen=0x80 | out: pbData=0x2d8ef80*, pdwDataLen=0x2d8f030*=0x80) returned 1 [0040.334] GetProcessHeap () returned 0x4e0000 [0040.334] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x2800) returned 0x5064d8 [0040.334] ReadFile (in: hFile=0x208, lpBuffer=0x5064d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x5064d8*, lpNumberOfBytesRead=0x2d8f034*=0x2800, lpOverlapped=0x0) returned 1 [0040.651] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0040.652] WriteFile (in: hFile=0x208, lpBuffer=0x5064d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x5064d8*, lpNumberOfBytesWritten=0x2d8f034*=0x2800, lpOverlapped=0x0) returned 1 [0040.652] GetProcessHeap () returned 0x4e0000 [0040.652] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x5064d8 | out: hHeap=0x4e0000) returned 1 [0040.652] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0040.652] WriteFile (in: hFile=0x208, lpBuffer=0x4ffe10*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x4ffe10*, lpNumberOfBytesWritten=0x2d8f034*=0x300, lpOverlapped=0x0) returned 1 [0040.659] WriteFile (in: hFile=0x208, lpBuffer=0x2d8ef80*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x2d8ef80*, lpNumberOfBytesWritten=0x2d8f034*=0x80, lpOverlapped=0x0) returned 1 [0040.659] WriteFile (in: hFile=0x208, lpBuffer=0x186230*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x186230*, lpNumberOfBytesWritten=0x2d8f034*=0x4, lpOverlapped=0x0) returned 1 [0040.659] CloseHandle (hObject=0x208) returned 1 [0040.659] GetProcessHeap () returned 0x4e0000 [0040.659] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x400) returned 0x5306d0 [0040.659] wnsprintfW (in: pszDest=0x5306d0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.msi_forv_{KNUJ5K}.for") returned 99 [0040.660] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.msi" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\office32ww.msi"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.msi_forv_{KNUJ5K}.for" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\office32ww.msi_forv_{knuj5k}.for")) returned 1 [0040.660] GetProcessHeap () returned 0x4e0000 [0040.660] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x5306d0 | out: hHeap=0x4e0000) returned 1 [0040.660] FindNextFileW (in: hFindFile=0x535b20, lpFindFileData=0x2d8f070 | out: lpFindFileData=0x2d8f070*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x87abdaa0, ftCreationTime.dwHighDateTime=0x1cb147f, ftLastAccessTime.dwLowDateTime=0x87abdaa0, ftLastAccessTime.dwHighDateTime=0x1cb147f, ftLastWriteTime.dwLowDateTime=0xa5cd2aa0, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x10b2, dwReserved0=0x0, dwReserved1=0x0, cFileName="Office32WW.xml", cAlternateFileName="OFFICE~1.XML")) returned 1 [0040.660] lstrcmpiW (lpString1="Office32WW.xml", lpString2="Windows") returned -1 [0040.660] lstrcmpiW (lpString1="Office32WW.xml", lpString2="$Recycle.bin") returned 1 [0040.660] lstrcmpiW (lpString1="Office32WW.xml", lpString2="System Volume Information") returned -1 [0040.660] lstrcmpiW (lpString1="Office32WW.xml", lpString2="Program Files") returned -1 [0040.660] lstrcmpiW (lpString1="Office32WW.xml", lpString2="Program Files (x86)") returned -1 [0040.660] wnsprintfW (in: pszDest=0x5354c0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.xml") returned 81 [0040.660] StrStrIW (lpFirst="Office32WW.xml", lpSrch=".for") returned 0x0 [0040.660] lstrcmpW (lpString1="Office32WW.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0040.660] lstrcmpW (lpString1="Office32WW.xml", lpString2="taridd") returned -1 [0040.660] StrCmpNW (lpStr1="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.xml", lpStr2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\3pRMMVYZl7L6YCH05Qf1aBB2Nvhrv3", nChar=122) returned -1 [0040.660] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.xml" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\office32ww.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x208 [0040.661] GetTickCount () returned 0x1144a69 [0040.661] GetTickCount () returned 0x1144a69 [0040.661] GetTickCount () returned 0x1144a69 [0040.661] GetTickCount () returned 0x1144a69 [0040.661] CryptEncrypt (in: hKey=0x4ff5a8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d8ef80*, pdwDataLen=0x2d8f030*=0x2c, dwBufLen=0x80 | out: pbData=0x2d8ef80*, pdwDataLen=0x2d8f030*=0x80) returned 1 [0040.661] GetProcessHeap () returned 0x4e0000 [0040.661] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x2800) returned 0x5064d8 [0040.661] ReadFile (in: hFile=0x208, lpBuffer=0x5064d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x5064d8*, lpNumberOfBytesRead=0x2d8f034*=0x10b2, lpOverlapped=0x0) returned 1 [0040.662] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0xffffef4e, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0040.663] WriteFile (in: hFile=0x208, lpBuffer=0x5064d8*, nNumberOfBytesToWrite=0x10b2, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x5064d8*, lpNumberOfBytesWritten=0x2d8f034*=0x10b2, lpOverlapped=0x0) returned 1 [0040.663] GetProcessHeap () returned 0x4e0000 [0040.663] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x5064d8 | out: hHeap=0x4e0000) returned 1 [0040.663] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0040.663] WriteFile (in: hFile=0x208, lpBuffer=0x4ffe10*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x4ffe10*, lpNumberOfBytesWritten=0x2d8f034*=0x300, lpOverlapped=0x0) returned 1 [0040.663] WriteFile (in: hFile=0x208, lpBuffer=0x2d8ef80*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x2d8ef80*, lpNumberOfBytesWritten=0x2d8f034*=0x80, lpOverlapped=0x0) returned 1 [0040.663] WriteFile (in: hFile=0x208, lpBuffer=0x186230*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x186230*, lpNumberOfBytesWritten=0x2d8f034*=0x4, lpOverlapped=0x0) returned 1 [0040.663] CloseHandle (hObject=0x208) returned 1 [0040.663] GetProcessHeap () returned 0x4e0000 [0040.663] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x400) returned 0x5306d0 [0040.663] wnsprintfW (in: pszDest=0x5306d0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.xml_forv_{KNUJ5K}.for") returned 99 [0040.663] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.xml" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\office32ww.xml"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.xml_forv_{KNUJ5K}.for" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\office32ww.xml_forv_{knuj5k}.for")) returned 1 [0040.664] GetProcessHeap () returned 0x4e0000 [0040.664] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x5306d0 | out: hHeap=0x4e0000) returned 1 [0040.664] FindNextFileW (in: hFindFile=0x535b20, lpFindFileData=0x2d8f070 | out: lpFindFileData=0x2d8f070*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xfe57f8e0, ftCreationTime.dwHighDateTime=0x1cbe1cb, ftLastAccessTime.dwLowDateTime=0xfe57f8e0, ftLastAccessTime.dwHighDateTime=0x1cbe1cb, ftLastWriteTime.dwLowDateTime=0xa8bafbc0, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x2a968, dwReserved0=0x0, dwReserved1=0x0, cFileName="ose.exe", cAlternateFileName="")) returned 1 [0040.664] lstrcmpiW (lpString1="ose.exe", lpString2="Windows") returned -1 [0040.664] lstrcmpiW (lpString1="ose.exe", lpString2="$Recycle.bin") returned 1 [0040.664] lstrcmpiW (lpString1="ose.exe", lpString2="System Volume Information") returned -1 [0040.664] lstrcmpiW (lpString1="ose.exe", lpString2="Program Files") returned -1 [0040.664] lstrcmpiW (lpString1="ose.exe", lpString2="Program Files (x86)") returned -1 [0040.664] wnsprintfW (in: pszDest=0x5354c0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\ose.exe") returned 74 [0040.664] StrStrIW (lpFirst="ose.exe", lpSrch=".for") returned 0x0 [0040.664] lstrcmpW (lpString1="ose.exe", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0040.664] lstrcmpW (lpString1="ose.exe", lpString2="taridd") returned -1 [0040.664] StrCmpNW (lpStr1="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\ose.exe", lpStr2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\3pRMMVYZl7L6YCH05Qf1aBB2Nvhrv3", nChar=122) returned -1 [0040.664] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\ose.exe" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\ose.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x208 [0040.664] GetTickCount () returned 0x1144a69 [0040.664] GetTickCount () returned 0x1144a69 [0040.664] GetTickCount () returned 0x1144a69 [0040.664] GetTickCount () returned 0x1144a69 [0040.664] CryptEncrypt (in: hKey=0x4ff5a8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d8ef80*, pdwDataLen=0x2d8f030*=0x2c, dwBufLen=0x80 | out: pbData=0x2d8ef80*, pdwDataLen=0x2d8f030*=0x80) returned 1 [0040.665] GetProcessHeap () returned 0x4e0000 [0040.665] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x2800) returned 0x5064d8 [0040.665] ReadFile (in: hFile=0x208, lpBuffer=0x5064d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x5064d8*, lpNumberOfBytesRead=0x2d8f034*=0x2800, lpOverlapped=0x0) returned 1 [0040.667] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0040.667] WriteFile (in: hFile=0x208, lpBuffer=0x5064d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x5064d8*, lpNumberOfBytesWritten=0x2d8f034*=0x2800, lpOverlapped=0x0) returned 1 [0040.667] GetProcessHeap () returned 0x4e0000 [0040.667] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x5064d8 | out: hHeap=0x4e0000) returned 1 [0040.667] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0040.667] WriteFile (in: hFile=0x208, lpBuffer=0x4ffe10*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x4ffe10*, lpNumberOfBytesWritten=0x2d8f034*=0x300, lpOverlapped=0x0) returned 1 [0040.668] WriteFile (in: hFile=0x208, lpBuffer=0x2d8ef80*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x2d8ef80*, lpNumberOfBytesWritten=0x2d8f034*=0x80, lpOverlapped=0x0) returned 1 [0040.668] WriteFile (in: hFile=0x208, lpBuffer=0x186230*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x186230*, lpNumberOfBytesWritten=0x2d8f034*=0x4, lpOverlapped=0x0) returned 1 [0040.668] CloseHandle (hObject=0x208) returned 1 [0040.669] GetProcessHeap () returned 0x4e0000 [0040.669] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x400) returned 0x5306d0 [0040.669] wnsprintfW (in: pszDest=0x5306d0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\ose.exe_forv_{KNUJ5K}.for") returned 92 [0040.669] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\ose.exe" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\ose.exe"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\ose.exe_forv_{KNUJ5K}.for" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\ose.exe_forv_{knuj5k}.for")) returned 1 [0040.670] GetProcessHeap () returned 0x4e0000 [0040.670] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x5306d0 | out: hHeap=0x4e0000) returned 1 [0040.670] FindNextFileW (in: hFindFile=0x535b20, lpFindFileData=0x2d8f070 | out: lpFindFileData=0x2d8f070*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x6644b620, ftCreationTime.dwHighDateTime=0x1cb04b2, ftLastAccessTime.dwLowDateTime=0x6644b620, ftLastAccessTime.dwHighDateTime=0x1cb04b2, ftLastWriteTime.dwLowDateTime=0xa81b8770, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x709768, dwReserved0=0x0, dwReserved1=0x0, cFileName="osetup.dll", cAlternateFileName="")) returned 1 [0040.670] lstrcmpiW (lpString1="osetup.dll", lpString2="Windows") returned -1 [0040.670] lstrcmpiW (lpString1="osetup.dll", lpString2="$Recycle.bin") returned 1 [0040.670] lstrcmpiW (lpString1="osetup.dll", lpString2="System Volume Information") returned -1 [0040.670] lstrcmpiW (lpString1="osetup.dll", lpString2="Program Files") returned -1 [0040.670] lstrcmpiW (lpString1="osetup.dll", lpString2="Program Files (x86)") returned -1 [0040.670] wnsprintfW (in: pszDest=0x5354c0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\osetup.dll") returned 77 [0040.670] StrStrIW (lpFirst="osetup.dll", lpSrch=".for") returned 0x0 [0040.670] lstrcmpW (lpString1="osetup.dll", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0040.670] lstrcmpW (lpString1="osetup.dll", lpString2="taridd") returned -1 [0040.670] StrCmpNW (lpStr1="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\osetup.dll", lpStr2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\3pRMMVYZl7L6YCH05Qf1aBB2Nvhrv3", nChar=122) returned -1 [0040.670] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\osetup.dll" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\osetup.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x208 [0040.670] GetTickCount () returned 0x1144a79 [0040.670] GetTickCount () returned 0x1144a79 [0040.670] GetTickCount () returned 0x1144a79 [0040.670] GetTickCount () returned 0x1144a79 [0040.670] CryptEncrypt (in: hKey=0x4ff5a8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d8ef80*, pdwDataLen=0x2d8f030*=0x2c, dwBufLen=0x80 | out: pbData=0x2d8ef80*, pdwDataLen=0x2d8f030*=0x80) returned 1 [0040.670] GetProcessHeap () returned 0x4e0000 [0040.670] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x2800) returned 0x5064d8 [0040.670] ReadFile (in: hFile=0x208, lpBuffer=0x5064d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x5064d8*, lpNumberOfBytesRead=0x2d8f034*=0x2800, lpOverlapped=0x0) returned 1 [0040.673] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0040.673] WriteFile (in: hFile=0x208, lpBuffer=0x5064d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x5064d8*, lpNumberOfBytesWritten=0x2d8f034*=0x2800, lpOverlapped=0x0) returned 1 [0040.673] GetProcessHeap () returned 0x4e0000 [0040.673] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x5064d8 | out: hHeap=0x4e0000) returned 1 [0040.673] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0040.673] WriteFile (in: hFile=0x208, lpBuffer=0x4ffe10*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x4ffe10*, lpNumberOfBytesWritten=0x2d8f034*=0x300, lpOverlapped=0x0) returned 1 [0040.676] WriteFile (in: hFile=0x208, lpBuffer=0x2d8ef80*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x2d8ef80*, lpNumberOfBytesWritten=0x2d8f034*=0x80, lpOverlapped=0x0) returned 1 [0040.676] WriteFile (in: hFile=0x208, lpBuffer=0x186230*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x186230*, lpNumberOfBytesWritten=0x2d8f034*=0x4, lpOverlapped=0x0) returned 1 [0040.676] CloseHandle (hObject=0x208) returned 1 [0040.676] GetProcessHeap () returned 0x4e0000 [0040.676] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x400) returned 0x5306d0 [0040.676] wnsprintfW (in: pszDest=0x5306d0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\osetup.dll_forv_{KNUJ5K}.for") returned 95 [0040.677] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\osetup.dll" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\osetup.dll"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\osetup.dll_forv_{KNUJ5K}.for" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\osetup.dll_forv_{knuj5k}.for")) returned 1 [0040.677] GetProcessHeap () returned 0x4e0000 [0040.677] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x5306d0 | out: hHeap=0x4e0000) returned 1 [0040.677] FindNextFileW (in: hFindFile=0x535b20, lpFindFileData=0x2d8f070 | out: lpFindFileData=0x2d8f070*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x8238e540, ftCreationTime.dwHighDateTime=0x1cb147f, ftLastAccessTime.dwLowDateTime=0x8238e540, ftLastAccessTime.dwHighDateTime=0x1cb147f, ftLastWriteTime.dwLowDateTime=0xa5ddcc70, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x228df5c, dwReserved0=0x0, dwReserved1=0x0, cFileName="OWOW32WW.cab", cAlternateFileName="")) returned 1 [0040.677] lstrcmpiW (lpString1="OWOW32WW.cab", lpString2="Windows") returned -1 [0040.677] lstrcmpiW (lpString1="OWOW32WW.cab", lpString2="$Recycle.bin") returned 1 [0040.677] lstrcmpiW (lpString1="OWOW32WW.cab", lpString2="System Volume Information") returned -1 [0040.677] lstrcmpiW (lpString1="OWOW32WW.cab", lpString2="Program Files") returned -1 [0040.677] lstrcmpiW (lpString1="OWOW32WW.cab", lpString2="Program Files (x86)") returned -1 [0040.677] wnsprintfW (in: pszDest=0x5354c0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab") returned 79 [0040.677] StrStrIW (lpFirst="OWOW32WW.cab", lpSrch=".for") returned 0x0 [0040.677] lstrcmpW (lpString1="OWOW32WW.cab", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0040.677] lstrcmpW (lpString1="OWOW32WW.cab", lpString2="taridd") returned -1 [0040.677] StrCmpNW (lpStr1="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab", lpStr2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\3pRMMVYZl7L6YCH05Qf1aBB2Nvhrv3", nChar=122) returned -1 [0040.677] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\owow32ww.cab"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x208 [0040.678] GetTickCount () returned 0x1144a79 [0040.678] GetTickCount () returned 0x1144a79 [0040.678] GetTickCount () returned 0x1144a79 [0040.678] GetTickCount () returned 0x1144a79 [0040.678] CryptEncrypt (in: hKey=0x4ff5a8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d8ef80*, pdwDataLen=0x2d8f030*=0x2c, dwBufLen=0x80 | out: pbData=0x2d8ef80*, pdwDataLen=0x2d8f030*=0x80) returned 1 [0040.678] GetProcessHeap () returned 0x4e0000 [0040.678] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x2800) returned 0x5064d8 [0040.678] ReadFile (in: hFile=0x208, lpBuffer=0x5064d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x5064d8*, lpNumberOfBytesRead=0x2d8f034*=0x2800, lpOverlapped=0x0) returned 1 [0040.681] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0040.681] WriteFile (in: hFile=0x208, lpBuffer=0x5064d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x5064d8*, lpNumberOfBytesWritten=0x2d8f034*=0x2800, lpOverlapped=0x0) returned 1 [0040.681] GetProcessHeap () returned 0x4e0000 [0040.681] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x5064d8 | out: hHeap=0x4e0000) returned 1 [0040.681] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0040.681] WriteFile (in: hFile=0x208, lpBuffer=0x4ffe10*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x4ffe10*, lpNumberOfBytesWritten=0x2d8f034*=0x300, lpOverlapped=0x0) returned 1 [0040.692] WriteFile (in: hFile=0x208, lpBuffer=0x2d8ef80*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x2d8ef80*, lpNumberOfBytesWritten=0x2d8f034*=0x80, lpOverlapped=0x0) returned 1 [0040.692] WriteFile (in: hFile=0x208, lpBuffer=0x186230*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x186230*, lpNumberOfBytesWritten=0x2d8f034*=0x4, lpOverlapped=0x0) returned 1 [0040.692] CloseHandle (hObject=0x208) returned 1 [0040.693] GetProcessHeap () returned 0x4e0000 [0040.693] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x400) returned 0x5306d0 [0040.693] wnsprintfW (in: pszDest=0x5306d0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab_forv_{KNUJ5K}.for") returned 97 [0040.693] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\owow32ww.cab"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab_forv_{KNUJ5K}.for" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\owow32ww.cab_forv_{knuj5k}.for")) returned 1 [0040.693] GetProcessHeap () returned 0x4e0000 [0040.693] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x5306d0 | out: hHeap=0x4e0000) returned 1 [0040.693] FindNextFileW (in: hFindFile=0x535b20, lpFindFileData=0x2d8f070 | out: lpFindFileData=0x2d8f070*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x7bd91af0, ftCreationTime.dwHighDateTime=0x1cb07b2, ftLastAccessTime.dwLowDateTime=0x7bd91af0, ftLastAccessTime.dwHighDateTime=0x1cb07b2, ftLastWriteTime.dwLowDateTime=0xa8bafbc0, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x165510, dwReserved0=0x0, dwReserved1=0x0, cFileName="PidGenX.dll", cAlternateFileName="")) returned 1 [0040.693] lstrcmpiW (lpString1="PidGenX.dll", lpString2="Windows") returned -1 [0040.693] lstrcmpiW (lpString1="PidGenX.dll", lpString2="$Recycle.bin") returned 1 [0040.693] lstrcmpiW (lpString1="PidGenX.dll", lpString2="System Volume Information") returned -1 [0040.693] lstrcmpiW (lpString1="PidGenX.dll", lpString2="Program Files") returned -1 [0040.693] lstrcmpiW (lpString1="PidGenX.dll", lpString2="Program Files (x86)") returned -1 [0040.693] wnsprintfW (in: pszDest=0x5354c0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PidGenX.dll") returned 78 [0040.693] StrStrIW (lpFirst="PidGenX.dll", lpSrch=".for") returned 0x0 [0040.693] lstrcmpW (lpString1="PidGenX.dll", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0040.693] lstrcmpW (lpString1="PidGenX.dll", lpString2="taridd") returned -1 [0040.693] StrCmpNW (lpStr1="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PidGenX.dll", lpStr2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\3pRMMVYZl7L6YCH05Qf1aBB2Nvhrv3", nChar=122) returned -1 [0040.693] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PidGenX.dll" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\pidgenx.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x208 [0040.694] GetTickCount () returned 0x1144a88 [0040.694] GetTickCount () returned 0x1144a88 [0040.694] GetTickCount () returned 0x1144a88 [0040.694] GetTickCount () returned 0x1144a88 [0040.694] CryptEncrypt (in: hKey=0x4ff5a8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d8ef80*, pdwDataLen=0x2d8f030*=0x2c, dwBufLen=0x80 | out: pbData=0x2d8ef80*, pdwDataLen=0x2d8f030*=0x80) returned 1 [0040.694] GetProcessHeap () returned 0x4e0000 [0040.694] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x2800) returned 0x5064d8 [0040.694] ReadFile (in: hFile=0x208, lpBuffer=0x5064d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x5064d8*, lpNumberOfBytesRead=0x2d8f034*=0x2800, lpOverlapped=0x0) returned 1 [0040.696] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0040.696] WriteFile (in: hFile=0x208, lpBuffer=0x5064d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x5064d8*, lpNumberOfBytesWritten=0x2d8f034*=0x2800, lpOverlapped=0x0) returned 1 [0040.696] GetProcessHeap () returned 0x4e0000 [0040.696] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x5064d8 | out: hHeap=0x4e0000) returned 1 [0040.696] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0040.696] WriteFile (in: hFile=0x208, lpBuffer=0x4ffe10*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x4ffe10*, lpNumberOfBytesWritten=0x2d8f034*=0x300, lpOverlapped=0x0) returned 1 [0040.712] WriteFile (in: hFile=0x208, lpBuffer=0x2d8ef80*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x2d8ef80*, lpNumberOfBytesWritten=0x2d8f034*=0x80, lpOverlapped=0x0) returned 1 [0040.712] WriteFile (in: hFile=0x208, lpBuffer=0x186230*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x186230*, lpNumberOfBytesWritten=0x2d8f034*=0x4, lpOverlapped=0x0) returned 1 [0040.712] CloseHandle (hObject=0x208) returned 1 [0040.712] GetProcessHeap () returned 0x4e0000 [0040.712] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x400) returned 0x5306d0 [0040.712] wnsprintfW (in: pszDest=0x5306d0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PidGenX.dll_forv_{KNUJ5K}.for") returned 96 [0040.712] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PidGenX.dll" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\pidgenx.dll"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PidGenX.dll_forv_{KNUJ5K}.for" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\pidgenx.dll_forv_{knuj5k}.for")) returned 1 [0040.713] GetProcessHeap () returned 0x4e0000 [0040.713] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x5306d0 | out: hHeap=0x4e0000) returned 1 [0040.713] FindNextFileW (in: hFindFile=0x535b20, lpFindFileData=0x2d8f070 | out: lpFindFileData=0x2d8f070*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x2a2397e0, ftCreationTime.dwHighDateTime=0x1cbe19a, ftLastAccessTime.dwLowDateTime=0x2a2397e0, ftLastAccessTime.dwHighDateTime=0x1cbe19a, ftLastWriteTime.dwLowDateTime=0xa8bafbc0, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0xaec3a, dwReserved0=0x0, dwReserved1=0x0, cFileName="pkeyconfig-office.xrm-ms", cAlternateFileName="PKEYCO~1.XRM")) returned 1 [0040.713] lstrcmpiW (lpString1="pkeyconfig-office.xrm-ms", lpString2="Windows") returned -1 [0040.713] lstrcmpiW (lpString1="pkeyconfig-office.xrm-ms", lpString2="$Recycle.bin") returned 1 [0040.713] lstrcmpiW (lpString1="pkeyconfig-office.xrm-ms", lpString2="System Volume Information") returned -1 [0040.713] lstrcmpiW (lpString1="pkeyconfig-office.xrm-ms", lpString2="Program Files") returned -1 [0040.713] lstrcmpiW (lpString1="pkeyconfig-office.xrm-ms", lpString2="Program Files (x86)") returned -1 [0040.713] wnsprintfW (in: pszDest=0x5354c0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms") returned 91 [0040.713] StrStrIW (lpFirst="pkeyconfig-office.xrm-ms", lpSrch=".for") returned 0x0 [0040.713] lstrcmpW (lpString1="pkeyconfig-office.xrm-ms", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0040.713] lstrcmpW (lpString1="pkeyconfig-office.xrm-ms", lpString2="taridd") returned -1 [0040.713] StrCmpNW (lpStr1="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms", lpStr2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\3pRMMVYZl7L6YCH05Qf1aBB2Nvhrv3", nChar=122) returned -1 [0040.713] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\pkeyconfig-office.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x208 [0040.714] GetTickCount () returned 0x1144a98 [0040.714] GetTickCount () returned 0x1144a98 [0040.714] GetTickCount () returned 0x1144a98 [0040.715] GetTickCount () returned 0x1144a98 [0040.715] CryptEncrypt (in: hKey=0x4ff5a8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d8ef80*, pdwDataLen=0x2d8f030*=0x2c, dwBufLen=0x80 | out: pbData=0x2d8ef80*, pdwDataLen=0x2d8f030*=0x80) returned 1 [0040.715] GetProcessHeap () returned 0x4e0000 [0040.715] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x2800) returned 0x5064d8 [0040.715] ReadFile (in: hFile=0x208, lpBuffer=0x5064d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x5064d8*, lpNumberOfBytesRead=0x2d8f034*=0x2800, lpOverlapped=0x0) returned 1 [0040.716] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0040.716] WriteFile (in: hFile=0x208, lpBuffer=0x5064d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x5064d8*, lpNumberOfBytesWritten=0x2d8f034*=0x2800, lpOverlapped=0x0) returned 1 [0040.717] GetProcessHeap () returned 0x4e0000 [0040.717] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x5064d8 | out: hHeap=0x4e0000) returned 1 [0040.717] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0040.717] WriteFile (in: hFile=0x208, lpBuffer=0x4ffe10*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x4ffe10*, lpNumberOfBytesWritten=0x2d8f034*=0x300, lpOverlapped=0x0) returned 1 [0040.719] WriteFile (in: hFile=0x208, lpBuffer=0x2d8ef80*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x2d8ef80*, lpNumberOfBytesWritten=0x2d8f034*=0x80, lpOverlapped=0x0) returned 1 [0040.719] WriteFile (in: hFile=0x208, lpBuffer=0x186230*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x186230*, lpNumberOfBytesWritten=0x2d8f034*=0x4, lpOverlapped=0x0) returned 1 [0040.719] CloseHandle (hObject=0x208) returned 1 [0040.720] GetProcessHeap () returned 0x4e0000 [0040.720] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x400) returned 0x5306d0 [0040.720] wnsprintfW (in: pszDest=0x5306d0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms_forv_{KNUJ5K}.for") returned 109 [0040.720] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\pkeyconfig-office.xrm-ms"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms_forv_{KNUJ5K}.for" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\pkeyconfig-office.xrm-ms_forv_{knuj5k}.for")) returned 1 [0040.720] GetProcessHeap () returned 0x4e0000 [0040.720] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x5306d0 | out: hHeap=0x4e0000) returned 1 [0040.720] FindNextFileW (in: hFindFile=0x535b20, lpFindFileData=0x2d8f070 | out: lpFindFileData=0x2d8f070*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x7c1614f0, ftCreationTime.dwHighDateTime=0x1cb148c, ftLastAccessTime.dwLowDateTime=0x7c1614f0, ftLastAccessTime.dwHighDateTime=0x1cb148c, ftLastWriteTime.dwLowDateTime=0xa60fd8f0, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0xa4c400, dwReserved0=0x0, dwReserved1=0x0, cFileName="PrjProrWW.msi", cAlternateFileName="PRJPRO~1.MSI")) returned 1 [0040.720] lstrcmpiW (lpString1="PrjProrWW.msi", lpString2="Windows") returned -1 [0040.720] lstrcmpiW (lpString1="PrjProrWW.msi", lpString2="$Recycle.bin") returned 1 [0040.720] lstrcmpiW (lpString1="PrjProrWW.msi", lpString2="System Volume Information") returned -1 [0040.720] lstrcmpiW (lpString1="PrjProrWW.msi", lpString2="Program Files") returned -1 [0040.720] lstrcmpiW (lpString1="PrjProrWW.msi", lpString2="Program Files (x86)") returned -1 [0040.720] wnsprintfW (in: pszDest=0x5354c0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.msi") returned 80 [0040.720] StrStrIW (lpFirst="PrjProrWW.msi", lpSrch=".for") returned 0x0 [0040.720] lstrcmpW (lpString1="PrjProrWW.msi", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0040.720] lstrcmpW (lpString1="PrjProrWW.msi", lpString2="taridd") returned -1 [0040.720] StrCmpNW (lpStr1="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.msi", lpStr2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\3pRMMVYZl7L6YCH05Qf1aBB2Nvhrv3", nChar=122) returned -1 [0040.720] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.msi" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\prjprorww.msi"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x208 [0040.721] GetTickCount () returned 0x1144aa7 [0040.721] GetTickCount () returned 0x1144aa7 [0040.721] GetTickCount () returned 0x1144aa7 [0040.721] GetTickCount () returned 0x1144aa7 [0040.721] CryptEncrypt (in: hKey=0x4ff5a8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d8ef80*, pdwDataLen=0x2d8f030*=0x2c, dwBufLen=0x80 | out: pbData=0x2d8ef80*, pdwDataLen=0x2d8f030*=0x80) returned 1 [0040.721] GetProcessHeap () returned 0x4e0000 [0040.721] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x2800) returned 0x5064d8 [0040.721] ReadFile (in: hFile=0x208, lpBuffer=0x5064d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x5064d8*, lpNumberOfBytesRead=0x2d8f034*=0x2800, lpOverlapped=0x0) returned 1 [0040.723] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0040.723] WriteFile (in: hFile=0x208, lpBuffer=0x5064d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x5064d8*, lpNumberOfBytesWritten=0x2d8f034*=0x2800, lpOverlapped=0x0) returned 1 [0040.723] GetProcessHeap () returned 0x4e0000 [0040.723] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x5064d8 | out: hHeap=0x4e0000) returned 1 [0040.723] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0040.723] WriteFile (in: hFile=0x208, lpBuffer=0x4ffe10*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x4ffe10*, lpNumberOfBytesWritten=0x2d8f034*=0x300, lpOverlapped=0x0) returned 1 [0040.877] WriteFile (in: hFile=0x208, lpBuffer=0x2d8ef80*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x2d8ef80*, lpNumberOfBytesWritten=0x2d8f034*=0x80, lpOverlapped=0x0) returned 1 [0040.880] WriteFile (in: hFile=0x208, lpBuffer=0x186230*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x186230*, lpNumberOfBytesWritten=0x2d8f034*=0x4, lpOverlapped=0x0) returned 1 [0040.881] CloseHandle (hObject=0x208) returned 1 [0040.885] GetProcessHeap () returned 0x4e0000 [0040.885] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x400) returned 0x5306d0 [0040.887] wnsprintfW (in: pszDest=0x5306d0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.msi_forv_{KNUJ5K}.for") returned 98 [0040.889] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.msi" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\prjprorww.msi"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.msi_forv_{KNUJ5K}.for" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\prjprorww.msi_forv_{knuj5k}.for")) returned 1 [0040.903] GetProcessHeap () returned 0x4e0000 [0040.904] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x5306d0 | out: hHeap=0x4e0000) returned 1 [0040.905] FindNextFileW (in: hFindFile=0x535b20, lpFindFileData=0x2d8f070 | out: lpFindFileData=0x2d8f070*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x7cabec50, ftCreationTime.dwHighDateTime=0x1cb148c, ftLastAccessTime.dwLowDateTime=0x7cabec50, ftLastAccessTime.dwHighDateTime=0x1cb148c, ftLastWriteTime.dwLowDateTime=0xa60fd8f0, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x1915, dwReserved0=0x0, dwReserved1=0x0, cFileName="PrjProrWW.xml", cAlternateFileName="PRJPRO~1.XML")) returned 1 [0040.906] lstrcmpiW (lpString1="PrjProrWW.xml", lpString2="Windows") returned -1 [0040.907] lstrcmpiW (lpString1="PrjProrWW.xml", lpString2="$Recycle.bin") returned 1 [0040.907] lstrcmpiW (lpString1="PrjProrWW.xml", lpString2="System Volume Information") returned -1 [0040.908] lstrcmpiW (lpString1="PrjProrWW.xml", lpString2="Program Files") returned -1 [0040.909] lstrcmpiW (lpString1="PrjProrWW.xml", lpString2="Program Files (x86)") returned -1 [0040.910] wnsprintfW (in: pszDest=0x5354c0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.xml") returned 80 [0040.910] StrStrIW (lpFirst="PrjProrWW.xml", lpSrch=".for") returned 0x0 [0040.911] lstrcmpW (lpString1="PrjProrWW.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0040.913] lstrcmpW (lpString1="PrjProrWW.xml", lpString2="taridd") returned -1 [0040.914] StrCmpNW (lpStr1="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.xml", lpStr2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\3pRMMVYZl7L6YCH05Qf1aBB2Nvhrv3", nChar=122) returned -1 [0040.914] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.xml" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\prjprorww.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x208 [0040.921] GetTickCount () returned 0x1144b72 [0040.922] GetTickCount () returned 0x1144b72 [0040.922] GetTickCount () returned 0x1144b72 [0040.923] GetTickCount () returned 0x1144b72 [0040.925] CryptEncrypt (in: hKey=0x4ff5a8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d8ef80*, pdwDataLen=0x2d8f030*=0x2c, dwBufLen=0x80 | out: pbData=0x2d8ef80*, pdwDataLen=0x2d8f030*=0x80) returned 1 [0040.928] GetProcessHeap () returned 0x4e0000 [0040.929] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x2800) returned 0x5064d8 [0040.930] ReadFile (in: hFile=0x208, lpBuffer=0x5064d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x5064d8*, lpNumberOfBytesRead=0x2d8f034*=0x1915, lpOverlapped=0x0) returned 1 [0041.020] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0xffffe6eb, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0041.024] WriteFile (in: hFile=0x208, lpBuffer=0x5064d8*, nNumberOfBytesToWrite=0x1915, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x5064d8*, lpNumberOfBytesWritten=0x2d8f034*=0x1915, lpOverlapped=0x0) returned 1 [0041.033] GetProcessHeap () returned 0x4e0000 [0041.034] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x5064d8 | out: hHeap=0x4e0000) returned 1 [0041.035] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0041.039] WriteFile (in: hFile=0x208, lpBuffer=0x4ffe10*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x4ffe10*, lpNumberOfBytesWritten=0x2d8f034*=0x300, lpOverlapped=0x0) returned 1 [0041.041] WriteFile (in: hFile=0x208, lpBuffer=0x2d8ef80*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x2d8ef80*, lpNumberOfBytesWritten=0x2d8f034*=0x80, lpOverlapped=0x0) returned 1 [0041.045] WriteFile (in: hFile=0x208, lpBuffer=0x186230*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x186230*, lpNumberOfBytesWritten=0x2d8f034*=0x4, lpOverlapped=0x0) returned 1 [0041.047] CloseHandle (hObject=0x208) returned 1 [0041.053] GetProcessHeap () returned 0x4e0000 [0041.053] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x400) returned 0x5306d0 [0041.055] wnsprintfW (in: pszDest=0x5306d0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.xml_forv_{KNUJ5K}.for") returned 98 [0041.055] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.xml" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\prjprorww.xml"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.xml_forv_{KNUJ5K}.for" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\prjprorww.xml_forv_{knuj5k}.for")) returned 1 [0041.055] GetProcessHeap () returned 0x4e0000 [0041.055] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x5306d0 | out: hHeap=0x4e0000) returned 1 [0041.056] FindNextFileW (in: hFindFile=0x535b20, lpFindFileData=0x2d8f070 | out: lpFindFileData=0x2d8f070*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x6c87b0c0, ftCreationTime.dwHighDateTime=0x1cb148c, ftLastAccessTime.dwLowDateTime=0x6c87b0c0, ftLastAccessTime.dwHighDateTime=0x1cb148c, ftLastWriteTime.dwLowDateTime=0xa6b67930, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x9b6ba9f, dwReserved0=0x0, dwReserved1=0x0, cFileName="PrjPrrWW.cab", cAlternateFileName="")) returned 1 [0041.056] lstrcmpiW (lpString1="PrjPrrWW.cab", lpString2="Windows") returned -1 [0041.056] lstrcmpiW (lpString1="PrjPrrWW.cab", lpString2="$Recycle.bin") returned 1 [0041.056] lstrcmpiW (lpString1="PrjPrrWW.cab", lpString2="System Volume Information") returned -1 [0041.056] lstrcmpiW (lpString1="PrjPrrWW.cab", lpString2="Program Files") returned -1 [0041.056] lstrcmpiW (lpString1="PrjPrrWW.cab", lpString2="Program Files (x86)") returned -1 [0041.056] wnsprintfW (in: pszDest=0x5354c0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjPrrWW.cab") returned 79 [0041.056] StrStrIW (lpFirst="PrjPrrWW.cab", lpSrch=".for") returned 0x0 [0041.056] lstrcmpW (lpString1="PrjPrrWW.cab", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0041.056] lstrcmpW (lpString1="PrjPrrWW.cab", lpString2="taridd") returned -1 [0041.056] StrCmpNW (lpStr1="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjPrrWW.cab", lpStr2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\3pRMMVYZl7L6YCH05Qf1aBB2Nvhrv3", nChar=122) returned -1 [0041.056] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjPrrWW.cab" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\prjprrww.cab"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x208 [0041.056] GetTickCount () returned 0x1144bef [0041.056] GetTickCount () returned 0x1144bef [0041.056] GetTickCount () returned 0x1144bef [0041.056] GetTickCount () returned 0x1144bef [0041.056] CryptEncrypt (in: hKey=0x4ff5a8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d8ef80*, pdwDataLen=0x2d8f030*=0x2c, dwBufLen=0x80 | out: pbData=0x2d8ef80*, pdwDataLen=0x2d8f030*=0x80) returned 1 [0041.056] GetProcessHeap () returned 0x4e0000 [0041.056] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x2800) returned 0x5064d8 [0041.056] ReadFile (in: hFile=0x208, lpBuffer=0x5064d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x5064d8*, lpNumberOfBytesRead=0x2d8f034*=0x2800, lpOverlapped=0x0) returned 1 [0041.073] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0041.073] WriteFile (in: hFile=0x208, lpBuffer=0x5064d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x5064d8*, lpNumberOfBytesWritten=0x2d8f034*=0x2800, lpOverlapped=0x0) returned 1 [0041.073] GetProcessHeap () returned 0x4e0000 [0041.073] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x5064d8 | out: hHeap=0x4e0000) returned 1 [0041.074] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0041.074] WriteFile (in: hFile=0x208, lpBuffer=0x4ffe10*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x4ffe10*, lpNumberOfBytesWritten=0x2d8f034*=0x300, lpOverlapped=0x0) returned 1 [0041.099] WriteFile (in: hFile=0x208, lpBuffer=0x2d8ef80*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x2d8ef80*, lpNumberOfBytesWritten=0x2d8f034*=0x80, lpOverlapped=0x0) returned 1 [0041.219] WriteFile (in: hFile=0x208, lpBuffer=0x186230*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x186230*, lpNumberOfBytesWritten=0x2d8f034*=0x4, lpOverlapped=0x0) returned 1 [0041.350] CloseHandle (hObject=0x208) returned 1 [0041.383] GetProcessHeap () returned 0x4e0000 [0041.383] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x400) returned 0x5306d0 [0041.383] wnsprintfW (in: pszDest=0x5306d0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjPrrWW.cab_forv_{KNUJ5K}.for") returned 97 [0041.384] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjPrrWW.cab" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\prjprrww.cab"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjPrrWW.cab_forv_{KNUJ5K}.for" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\prjprrww.cab_forv_{knuj5k}.for")) returned 1 [0041.389] GetProcessHeap () returned 0x4e0000 [0041.389] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x5306d0 | out: hHeap=0x4e0000) returned 1 [0041.390] FindNextFileW (in: hFindFile=0x535b20, lpFindFileData=0x2d8f070 | out: lpFindFileData=0x2d8f070*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x69dde270, ftCreationTime.dwHighDateTime=0x1cb04b2, ftLastAccessTime.dwLowDateTime=0x69dde270, ftLastAccessTime.dwHighDateTime=0x1cb04b2, ftLastWriteTime.dwLowDateTime=0xa8191670, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x150578, dwReserved0=0x0, dwReserved1=0x0, cFileName="setup.exe", cAlternateFileName="")) returned 1 [0041.390] lstrcmpiW (lpString1="setup.exe", lpString2="Windows") returned -1 [0041.392] lstrcmpiW (lpString1="setup.exe", lpString2="$Recycle.bin") returned 1 [0041.392] lstrcmpiW (lpString1="setup.exe", lpString2="System Volume Information") returned -1 [0041.394] lstrcmpiW (lpString1="setup.exe", lpString2="Program Files") returned 1 [0041.394] lstrcmpiW (lpString1="setup.exe", lpString2="Program Files (x86)") returned 1 [0041.394] wnsprintfW (in: pszDest=0x5354c0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\setup.exe") returned 76 [0041.394] StrStrIW (lpFirst="setup.exe", lpSrch=".for") returned 0x0 [0041.394] lstrcmpW (lpString1="setup.exe", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0041.394] lstrcmpW (lpString1="setup.exe", lpString2="taridd") returned -1 [0041.394] StrCmpNW (lpStr1="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\setup.exe", lpStr2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\3pRMMVYZl7L6YCH05Qf1aBB2Nvhrv3", nChar=122) returned -1 [0041.394] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\setup.exe" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\setup.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x208 [0041.394] GetTickCount () returned 0x1144d46 [0041.394] GetTickCount () returned 0x1144d46 [0041.395] GetTickCount () returned 0x1144d46 [0041.395] GetTickCount () returned 0x1144d46 [0041.395] CryptEncrypt (in: hKey=0x4ff5a8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d8ef80*, pdwDataLen=0x2d8f030*=0x2c, dwBufLen=0x80 | out: pbData=0x2d8ef80*, pdwDataLen=0x2d8f030*=0x80) returned 1 [0041.395] GetProcessHeap () returned 0x4e0000 [0041.395] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x2800) returned 0x5064d8 [0041.395] ReadFile (in: hFile=0x208, lpBuffer=0x5064d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x5064d8*, lpNumberOfBytesRead=0x2d8f034*=0x2800, lpOverlapped=0x0) returned 1 [0041.397] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0041.397] WriteFile (in: hFile=0x208, lpBuffer=0x5064d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x5064d8*, lpNumberOfBytesWritten=0x2d8f034*=0x2800, lpOverlapped=0x0) returned 1 [0041.397] GetProcessHeap () returned 0x4e0000 [0041.397] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x5064d8 | out: hHeap=0x4e0000) returned 1 [0041.397] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0041.397] WriteFile (in: hFile=0x208, lpBuffer=0x4ffe10*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x4ffe10*, lpNumberOfBytesWritten=0x2d8f034*=0x300, lpOverlapped=0x0) returned 1 [0041.400] WriteFile (in: hFile=0x208, lpBuffer=0x2d8ef80*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x2d8ef80*, lpNumberOfBytesWritten=0x2d8f034*=0x80, lpOverlapped=0x0) returned 1 [0041.400] WriteFile (in: hFile=0x208, lpBuffer=0x186230*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x186230*, lpNumberOfBytesWritten=0x2d8f034*=0x4, lpOverlapped=0x0) returned 1 [0041.400] CloseHandle (hObject=0x208) returned 1 [0041.400] GetProcessHeap () returned 0x4e0000 [0041.401] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x400) returned 0x5306d0 [0041.401] wnsprintfW (in: pszDest=0x5306d0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\setup.exe_forv_{KNUJ5K}.for") returned 94 [0041.401] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\setup.exe" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\setup.exe"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\setup.exe_forv_{KNUJ5K}.for" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\setup.exe_forv_{knuj5k}.for")) returned 1 [0041.401] GetProcessHeap () returned 0x4e0000 [0041.401] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x5306d0 | out: hHeap=0x4e0000) returned 1 [0041.401] FindNextFileW (in: hFindFile=0x535b20, lpFindFileData=0x2d8f070 | out: lpFindFileData=0x2d8f070*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x7ca00570, ftCreationTime.dwHighDateTime=0x1cb148c, ftLastAccessTime.dwLowDateTime=0x7ca00570, ftLastAccessTime.dwHighDateTime=0x1cb148c, ftLastWriteTime.dwLowDateTime=0xa8c227b0, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x412b, dwReserved0=0x0, dwReserved1=0x0, cFileName="Setup.xml", cAlternateFileName="")) returned 1 [0041.401] lstrcmpiW (lpString1="Setup.xml", lpString2="Windows") returned -1 [0041.401] lstrcmpiW (lpString1="Setup.xml", lpString2="$Recycle.bin") returned 1 [0041.401] lstrcmpiW (lpString1="Setup.xml", lpString2="System Volume Information") returned -1 [0041.401] lstrcmpiW (lpString1="Setup.xml", lpString2="Program Files") returned 1 [0041.401] lstrcmpiW (lpString1="Setup.xml", lpString2="Program Files (x86)") returned 1 [0041.401] wnsprintfW (in: pszDest=0x5354c0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Setup.xml") returned 76 [0041.401] StrStrIW (lpFirst="Setup.xml", lpSrch=".for") returned 0x0 [0041.401] lstrcmpW (lpString1="Setup.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0041.401] lstrcmpW (lpString1="Setup.xml", lpString2="taridd") returned -1 [0041.401] StrCmpNW (lpStr1="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Setup.xml", lpStr2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\3pRMMVYZl7L6YCH05Qf1aBB2Nvhrv3", nChar=122) returned -1 [0041.401] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x208 [0041.402] GetTickCount () returned 0x1144d46 [0041.402] GetTickCount () returned 0x1144d46 [0041.402] GetTickCount () returned 0x1144d46 [0041.402] GetTickCount () returned 0x1144d46 [0041.402] CryptEncrypt (in: hKey=0x4ff5a8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d8ef80*, pdwDataLen=0x2d8f030*=0x2c, dwBufLen=0x80 | out: pbData=0x2d8ef80*, pdwDataLen=0x2d8f030*=0x80) returned 1 [0041.402] GetProcessHeap () returned 0x4e0000 [0041.402] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x2800) returned 0x5064d8 [0041.402] ReadFile (in: hFile=0x208, lpBuffer=0x5064d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x5064d8*, lpNumberOfBytesRead=0x2d8f034*=0x2800, lpOverlapped=0x0) returned 1 [0041.403] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0041.404] WriteFile (in: hFile=0x208, lpBuffer=0x5064d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x5064d8*, lpNumberOfBytesWritten=0x2d8f034*=0x2800, lpOverlapped=0x0) returned 1 [0041.404] GetProcessHeap () returned 0x4e0000 [0041.404] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x5064d8 | out: hHeap=0x4e0000) returned 1 [0041.404] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0041.404] WriteFile (in: hFile=0x208, lpBuffer=0x4ffe10*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x4ffe10*, lpNumberOfBytesWritten=0x2d8f034*=0x300, lpOverlapped=0x0) returned 1 [0041.404] WriteFile (in: hFile=0x208, lpBuffer=0x2d8ef80*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x2d8ef80*, lpNumberOfBytesWritten=0x2d8f034*=0x80, lpOverlapped=0x0) returned 1 [0041.404] WriteFile (in: hFile=0x208, lpBuffer=0x186230*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x186230*, lpNumberOfBytesWritten=0x2d8f034*=0x4, lpOverlapped=0x0) returned 1 [0041.404] CloseHandle (hObject=0x208) returned 1 [0041.405] GetProcessHeap () returned 0x4e0000 [0041.405] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x400) returned 0x5306d0 [0041.405] wnsprintfW (in: pszDest=0x5306d0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Setup.xml_forv_{KNUJ5K}.for") returned 94 [0041.405] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\setup.xml"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Setup.xml_forv_{KNUJ5K}.for" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\setup.xml_forv_{knuj5k}.for")) returned 1 [0041.405] GetProcessHeap () returned 0x4e0000 [0041.405] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x5306d0 | out: hHeap=0x4e0000) returned 1 [0041.405] FindNextFileW (in: hFindFile=0x535b20, lpFindFileData=0x2d8f070 | out: lpFindFileData=0x2d8f070*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x7ca00570, ftCreationTime.dwHighDateTime=0x1cb148c, ftLastAccessTime.dwLowDateTime=0x7ca00570, ftLastAccessTime.dwHighDateTime=0x1cb148c, ftLastWriteTime.dwLowDateTime=0xa8c227b0, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x412b, dwReserved0=0x0, dwReserved1=0x0, cFileName="Setup.xml", cAlternateFileName="")) returned 0 [0041.405] FindClose (in: hFindFile=0x535b20 | out: hFindFile=0x535b20) returned 1 [0041.405] wnsprintfW (in: pszDest=0x5354c0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 98 [0041.405] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x150 [0041.408] WriteFile (in: hFile=0x150, lpBuffer=0x186440*, nNumberOfBytesToWrite=0x2b0, lpNumberOfBytesWritten=0x2d8f03c, lpOverlapped=0x0 | out: lpBuffer=0x186440*, lpNumberOfBytesWritten=0x2d8f03c*=0x2b0, lpOverlapped=0x0) returned 1 [0041.408] CloseHandle (hObject=0x150) returned 1 [0041.409] GetProcessHeap () returned 0x4e0000 [0041.409] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x5354c0 | out: hHeap=0x4e0000) returned 1 [0041.409] FindNextFileW (in: hFindFile=0x535ae0, lpFindFileData=0x2d8f2f8 | out: lpFindFileData=0x2d8f2f8*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0x46538340, ftCreationTime.dwHighDateTime=0x1d305eb, ftLastAccessTime.dwLowDateTime=0x4a6d41a0, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x4a6d41a0, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="{91140000-0057-0000-1000-0000000FF1CE}-C", cAlternateFileName="{91140~2")) returned 1 [0041.409] lstrcmpiW (lpString1="{91140000-0057-0000-1000-0000000FF1CE}-C", lpString2="Windows") returned -1 [0041.409] lstrcmpiW (lpString1="{91140000-0057-0000-1000-0000000FF1CE}-C", lpString2="$Recycle.bin") returned 1 [0041.409] lstrcmpiW (lpString1="{91140000-0057-0000-1000-0000000FF1CE}-C", lpString2="System Volume Information") returned -1 [0041.409] lstrcmpiW (lpString1="{91140000-0057-0000-1000-0000000FF1CE}-C", lpString2="Program Files") returned -1 [0041.409] lstrcmpiW (lpString1="{91140000-0057-0000-1000-0000000FF1CE}-C", lpString2="Program Files (x86)") returned -1 [0041.409] wnsprintfW (in: pszDest=0x542af8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C") returned 66 [0041.409] lstrcmpW (lpString1="{91140000-0057-0000-1000-0000000FF1CE}-C", lpString2=".") returned 1 [0041.409] lstrcmpW (lpString1="{91140000-0057-0000-1000-0000000FF1CE}-C", lpString2="..") returned 1 [0041.409] lstrcmpW (lpString1="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0041.409] GetProcessHeap () returned 0x4e0000 [0041.409] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x400) returned 0x5354c0 [0041.409] wnsprintfW (in: pszDest=0x5354c0, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\*") returned 68 [0041.409] FindFirstFileW (in: lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\*", lpFindFileData=0x2d8f070 | out: lpFindFileData=0x2d8f070*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0x46538340, ftCreationTime.dwHighDateTime=0x1d305eb, ftLastAccessTime.dwLowDateTime=0x4a6d41a0, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x4a6d41a0, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x535b20 [0041.411] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0041.411] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0041.411] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0041.411] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0041.411] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0041.411] wnsprintfW (in: pszDest=0x5354c0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\.") returned 68 [0041.411] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0041.411] StrStrIW (lpFirst=".", lpSrch=".for") returned 0x0 [0041.411] lstrcmpW (lpString1=".", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned -1 [0041.411] lstrcmpW (lpString1=".", lpString2="taridd") returned -1 [0041.411] StrCmpNW (lpStr1="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\.", lpStr2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\3pRMMVYZl7L6YCH05Qf1aBB2Nvhrv3", nChar=122) returned -1 [0041.411] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\." (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0041.412] FindNextFileW (in: hFindFile=0x535b20, lpFindFileData=0x2d8f070 | out: lpFindFileData=0x2d8f070*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0x46538340, ftCreationTime.dwHighDateTime=0x1d305eb, ftLastAccessTime.dwLowDateTime=0x4a6d41a0, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x4a6d41a0, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0041.412] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0041.412] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0041.412] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0041.412] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0041.412] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0041.412] wnsprintfW (in: pszDest=0x5354c0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\..") returned 69 [0041.412] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0041.412] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0041.412] StrStrIW (lpFirst="..", lpSrch=".for") returned 0x0 [0041.412] lstrcmpW (lpString1="..", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned -1 [0041.412] lstrcmpW (lpString1="..", lpString2="taridd") returned -1 [0041.412] StrCmpNW (lpStr1="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\..", lpStr2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\3pRMMVYZl7L6YCH05Qf1aBB2Nvhrv3", nChar=122) returned -1 [0041.412] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\.." (normalized: "c:\\msocache\\all users"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0041.412] FindNextFileW (in: hFindFile=0x535b20, lpFindFileData=0x2d8f070 | out: lpFindFileData=0x2d8f070*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xe5ed9630, ftCreationTime.dwHighDateTime=0x1cb12b3, ftLastAccessTime.dwLowDateTime=0xe5ed9630, ftLastAccessTime.dwHighDateTime=0x1cb12b3, ftLastWriteTime.dwLowDateTime=0x4655d500, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x1e6600, dwReserved0=0x0, dwReserved1=0x0, cFileName="Office32WW.msi", cAlternateFileName="OFFICE~1.MSI")) returned 1 [0041.412] lstrcmpiW (lpString1="Office32WW.msi", lpString2="Windows") returned -1 [0041.412] lstrcmpiW (lpString1="Office32WW.msi", lpString2="$Recycle.bin") returned 1 [0041.412] lstrcmpiW (lpString1="Office32WW.msi", lpString2="System Volume Information") returned -1 [0041.412] lstrcmpiW (lpString1="Office32WW.msi", lpString2="Program Files") returned -1 [0041.412] lstrcmpiW (lpString1="Office32WW.msi", lpString2="Program Files (x86)") returned -1 [0041.412] wnsprintfW (in: pszDest=0x5354c0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.msi") returned 81 [0041.412] StrStrIW (lpFirst="Office32WW.msi", lpSrch=".for") returned 0x0 [0041.412] lstrcmpW (lpString1="Office32WW.msi", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0041.412] lstrcmpW (lpString1="Office32WW.msi", lpString2="taridd") returned -1 [0041.412] StrCmpNW (lpStr1="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.msi", lpStr2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\3pRMMVYZl7L6YCH05Qf1aBB2Nvhrv3", nChar=122) returned -1 [0041.412] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.msi" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\office32ww.msi"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x208 [0041.413] GetTickCount () returned 0x1144d56 [0041.413] GetTickCount () returned 0x1144d56 [0041.413] GetTickCount () returned 0x1144d56 [0041.413] GetTickCount () returned 0x1144d56 [0041.413] CryptEncrypt (in: hKey=0x4ff5a8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d8ef80*, pdwDataLen=0x2d8f030*=0x2c, dwBufLen=0x80 | out: pbData=0x2d8ef80*, pdwDataLen=0x2d8f030*=0x80) returned 1 [0041.413] GetProcessHeap () returned 0x4e0000 [0041.413] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x2800) returned 0x5064d8 [0041.413] ReadFile (in: hFile=0x208, lpBuffer=0x5064d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x5064d8*, lpNumberOfBytesRead=0x2d8f034*=0x2800, lpOverlapped=0x0) returned 1 [0041.415] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0041.415] WriteFile (in: hFile=0x208, lpBuffer=0x5064d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x5064d8*, lpNumberOfBytesWritten=0x2d8f034*=0x2800, lpOverlapped=0x0) returned 1 [0041.415] GetProcessHeap () returned 0x4e0000 [0041.415] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x5064d8 | out: hHeap=0x4e0000) returned 1 [0041.415] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0041.415] WriteFile (in: hFile=0x208, lpBuffer=0x4ffe10*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x4ffe10*, lpNumberOfBytesWritten=0x2d8f034*=0x300, lpOverlapped=0x0) returned 1 [0041.417] WriteFile (in: hFile=0x208, lpBuffer=0x2d8ef80*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x2d8ef80*, lpNumberOfBytesWritten=0x2d8f034*=0x80, lpOverlapped=0x0) returned 1 [0041.417] WriteFile (in: hFile=0x208, lpBuffer=0x186230*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x186230*, lpNumberOfBytesWritten=0x2d8f034*=0x4, lpOverlapped=0x0) returned 1 [0041.417] CloseHandle (hObject=0x208) returned 1 [0041.417] GetProcessHeap () returned 0x4e0000 [0041.417] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x400) returned 0x5306d0 [0041.417] wnsprintfW (in: pszDest=0x5306d0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.msi_forv_{KNUJ5K}.for") returned 99 [0041.418] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.msi" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\office32ww.msi"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.msi_forv_{KNUJ5K}.for" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\office32ww.msi_forv_{knuj5k}.for")) returned 1 [0041.418] GetProcessHeap () returned 0x4e0000 [0041.418] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x5306d0 | out: hHeap=0x4e0000) returned 1 [0041.418] FindNextFileW (in: hFindFile=0x535b20, lpFindFileData=0x2d8f070 | out: lpFindFileData=0x2d8f070*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x16771fb0, ftCreationTime.dwHighDateTime=0x1cb12b4, ftLastAccessTime.dwLowDateTime=0x16771fb0, ftLastAccessTime.dwHighDateTime=0x1cb12b4, ftLastWriteTime.dwLowDateTime=0x46536400, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x10b2, dwReserved0=0x0, dwReserved1=0x0, cFileName="Office32WW.xml", cAlternateFileName="OFFICE~1.XML")) returned 1 [0041.418] lstrcmpiW (lpString1="Office32WW.xml", lpString2="Windows") returned -1 [0041.418] lstrcmpiW (lpString1="Office32WW.xml", lpString2="$Recycle.bin") returned 1 [0041.418] lstrcmpiW (lpString1="Office32WW.xml", lpString2="System Volume Information") returned -1 [0041.418] lstrcmpiW (lpString1="Office32WW.xml", lpString2="Program Files") returned -1 [0041.418] lstrcmpiW (lpString1="Office32WW.xml", lpString2="Program Files (x86)") returned -1 [0041.418] wnsprintfW (in: pszDest=0x5354c0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.xml") returned 81 [0041.418] StrStrIW (lpFirst="Office32WW.xml", lpSrch=".for") returned 0x0 [0041.418] lstrcmpW (lpString1="Office32WW.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0041.418] lstrcmpW (lpString1="Office32WW.xml", lpString2="taridd") returned -1 [0041.418] StrCmpNW (lpStr1="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.xml", lpStr2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\3pRMMVYZl7L6YCH05Qf1aBB2Nvhrv3", nChar=122) returned -1 [0041.418] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.xml" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\office32ww.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x208 [0041.419] GetTickCount () returned 0x1144d65 [0041.419] GetTickCount () returned 0x1144d65 [0041.419] GetTickCount () returned 0x1144d65 [0041.419] GetTickCount () returned 0x1144d65 [0041.419] CryptEncrypt (in: hKey=0x4ff5a8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d8ef80*, pdwDataLen=0x2d8f030*=0x2c, dwBufLen=0x80 | out: pbData=0x2d8ef80*, pdwDataLen=0x2d8f030*=0x80) returned 1 [0041.419] GetProcessHeap () returned 0x4e0000 [0041.419] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x2800) returned 0x5064d8 [0041.419] ReadFile (in: hFile=0x208, lpBuffer=0x5064d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x5064d8*, lpNumberOfBytesRead=0x2d8f034*=0x10b2, lpOverlapped=0x0) returned 1 [0041.420] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0xffffef4e, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0041.420] WriteFile (in: hFile=0x208, lpBuffer=0x5064d8*, nNumberOfBytesToWrite=0x10b2, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x5064d8*, lpNumberOfBytesWritten=0x2d8f034*=0x10b2, lpOverlapped=0x0) returned 1 [0041.420] GetProcessHeap () returned 0x4e0000 [0041.420] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x5064d8 | out: hHeap=0x4e0000) returned 1 [0041.420] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0041.420] WriteFile (in: hFile=0x208, lpBuffer=0x4ffe10*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x4ffe10*, lpNumberOfBytesWritten=0x2d8f034*=0x300, lpOverlapped=0x0) returned 1 [0041.421] WriteFile (in: hFile=0x208, lpBuffer=0x2d8ef80*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x2d8ef80*, lpNumberOfBytesWritten=0x2d8f034*=0x80, lpOverlapped=0x0) returned 1 [0041.421] WriteFile (in: hFile=0x208, lpBuffer=0x186230*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x186230*, lpNumberOfBytesWritten=0x2d8f034*=0x4, lpOverlapped=0x0) returned 1 [0041.421] CloseHandle (hObject=0x208) returned 1 [0041.421] GetProcessHeap () returned 0x4e0000 [0041.421] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x400) returned 0x5306d0 [0041.421] wnsprintfW (in: pszDest=0x5306d0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.xml_forv_{KNUJ5K}.for") returned 99 [0041.421] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.xml" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\office32ww.xml"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.xml_forv_{KNUJ5K}.for" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\office32ww.xml_forv_{knuj5k}.for")) returned 1 [0041.421] GetProcessHeap () returned 0x4e0000 [0041.421] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x5306d0 | out: hHeap=0x4e0000) returned 1 [0041.421] FindNextFileW (in: hFindFile=0x535b20, lpFindFileData=0x2d8f070 | out: lpFindFileData=0x2d8f070*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xec54b6b0, ftCreationTime.dwHighDateTime=0x1cb04a9, ftLastAccessTime.dwLowDateTime=0xec54b6b0, ftLastAccessTime.dwHighDateTime=0x1cb04a9, ftLastWriteTime.dwLowDateTime=0x4a687710, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x2a968, dwReserved0=0x0, dwReserved1=0x0, cFileName="ose.exe", cAlternateFileName="")) returned 1 [0041.421] lstrcmpiW (lpString1="ose.exe", lpString2="Windows") returned -1 [0041.421] lstrcmpiW (lpString1="ose.exe", lpString2="$Recycle.bin") returned 1 [0041.421] lstrcmpiW (lpString1="ose.exe", lpString2="System Volume Information") returned -1 [0041.421] lstrcmpiW (lpString1="ose.exe", lpString2="Program Files") returned -1 [0041.421] lstrcmpiW (lpString1="ose.exe", lpString2="Program Files (x86)") returned -1 [0041.421] wnsprintfW (in: pszDest=0x5354c0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\ose.exe") returned 74 [0041.421] StrStrIW (lpFirst="ose.exe", lpSrch=".for") returned 0x0 [0041.422] lstrcmpW (lpString1="ose.exe", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0041.422] lstrcmpW (lpString1="ose.exe", lpString2="taridd") returned -1 [0041.422] StrCmpNW (lpStr1="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\ose.exe", lpStr2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\3pRMMVYZl7L6YCH05Qf1aBB2Nvhrv3", nChar=122) returned -1 [0041.422] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\ose.exe" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\ose.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x208 [0041.422] GetTickCount () returned 0x1144d65 [0041.422] GetTickCount () returned 0x1144d65 [0041.422] GetTickCount () returned 0x1144d65 [0041.422] GetTickCount () returned 0x1144d65 [0041.422] CryptEncrypt (in: hKey=0x4ff5a8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d8ef80*, pdwDataLen=0x2d8f030*=0x2c, dwBufLen=0x80 | out: pbData=0x2d8ef80*, pdwDataLen=0x2d8f030*=0x80) returned 1 [0041.423] GetProcessHeap () returned 0x4e0000 [0041.423] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x2800) returned 0x5064d8 [0041.423] ReadFile (in: hFile=0x208, lpBuffer=0x5064d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x5064d8*, lpNumberOfBytesRead=0x2d8f034*=0x2800, lpOverlapped=0x0) returned 1 [0041.424] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0041.424] WriteFile (in: hFile=0x208, lpBuffer=0x5064d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x5064d8*, lpNumberOfBytesWritten=0x2d8f034*=0x2800, lpOverlapped=0x0) returned 1 [0041.425] GetProcessHeap () returned 0x4e0000 [0041.425] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x5064d8 | out: hHeap=0x4e0000) returned 1 [0041.425] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0041.425] WriteFile (in: hFile=0x208, lpBuffer=0x4ffe10*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x4ffe10*, lpNumberOfBytesWritten=0x2d8f034*=0x300, lpOverlapped=0x0) returned 1 [0041.426] WriteFile (in: hFile=0x208, lpBuffer=0x2d8ef80*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x2d8ef80*, lpNumberOfBytesWritten=0x2d8f034*=0x80, lpOverlapped=0x0) returned 1 [0041.426] WriteFile (in: hFile=0x208, lpBuffer=0x186230*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x186230*, lpNumberOfBytesWritten=0x2d8f034*=0x4, lpOverlapped=0x0) returned 1 [0041.426] CloseHandle (hObject=0x208) returned 1 [0041.426] GetProcessHeap () returned 0x4e0000 [0041.426] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x400) returned 0x5306d0 [0041.426] wnsprintfW (in: pszDest=0x5306d0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\ose.exe_forv_{KNUJ5K}.for") returned 92 [0041.426] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\ose.exe" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\ose.exe"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\ose.exe_forv_{KNUJ5K}.for" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\ose.exe_forv_{knuj5k}.for")) returned 1 [0041.427] GetProcessHeap () returned 0x4e0000 [0041.427] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x5306d0 | out: hHeap=0x4e0000) returned 1 [0041.427] FindNextFileW (in: hFindFile=0x535b20, lpFindFileData=0x2d8f070 | out: lpFindFileData=0x2d8f070*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xde72fbf0, ftCreationTime.dwHighDateTime=0x1cb0d0b, ftLastAccessTime.dwLowDateTime=0xde72fbf0, ftLastAccessTime.dwHighDateTime=0x1cb0d0b, ftLastWriteTime.dwLowDateTime=0x49c902c0, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x709768, dwReserved0=0x0, dwReserved1=0x0, cFileName="osetup.dll", cAlternateFileName="")) returned 1 [0041.427] lstrcmpiW (lpString1="osetup.dll", lpString2="Windows") returned -1 [0041.427] lstrcmpiW (lpString1="osetup.dll", lpString2="$Recycle.bin") returned 1 [0041.427] lstrcmpiW (lpString1="osetup.dll", lpString2="System Volume Information") returned -1 [0041.427] lstrcmpiW (lpString1="osetup.dll", lpString2="Program Files") returned -1 [0041.427] lstrcmpiW (lpString1="osetup.dll", lpString2="Program Files (x86)") returned -1 [0041.427] wnsprintfW (in: pszDest=0x5354c0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\osetup.dll") returned 77 [0041.427] StrStrIW (lpFirst="osetup.dll", lpSrch=".for") returned 0x0 [0041.427] lstrcmpW (lpString1="osetup.dll", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0041.427] lstrcmpW (lpString1="osetup.dll", lpString2="taridd") returned -1 [0041.427] StrCmpNW (lpStr1="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\osetup.dll", lpStr2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\3pRMMVYZl7L6YCH05Qf1aBB2Nvhrv3", nChar=122) returned -1 [0041.427] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\osetup.dll" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\osetup.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x208 [0041.427] GetTickCount () returned 0x1144d65 [0041.427] GetTickCount () returned 0x1144d65 [0041.427] GetTickCount () returned 0x1144d65 [0041.427] GetTickCount () returned 0x1144d65 [0041.427] CryptEncrypt (in: hKey=0x4ff5a8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d8ef80*, pdwDataLen=0x2d8f030*=0x2c, dwBufLen=0x80 | out: pbData=0x2d8ef80*, pdwDataLen=0x2d8f030*=0x80) returned 1 [0041.427] GetProcessHeap () returned 0x4e0000 [0041.427] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x2800) returned 0x5064d8 [0041.428] ReadFile (in: hFile=0x208, lpBuffer=0x5064d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x5064d8*, lpNumberOfBytesRead=0x2d8f034*=0x2800, lpOverlapped=0x0) returned 1 [0041.430] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0041.430] WriteFile (in: hFile=0x208, lpBuffer=0x5064d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x5064d8*, lpNumberOfBytesWritten=0x2d8f034*=0x2800, lpOverlapped=0x0) returned 1 [0041.430] GetProcessHeap () returned 0x4e0000 [0041.430] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x5064d8 | out: hHeap=0x4e0000) returned 1 [0041.430] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0041.430] WriteFile (in: hFile=0x208, lpBuffer=0x4ffe10*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x4ffe10*, lpNumberOfBytesWritten=0x2d8f034*=0x300, lpOverlapped=0x0) returned 1 [0041.433] WriteFile (in: hFile=0x208, lpBuffer=0x2d8ef80*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x2d8ef80*, lpNumberOfBytesWritten=0x2d8f034*=0x80, lpOverlapped=0x0) returned 1 [0041.433] WriteFile (in: hFile=0x208, lpBuffer=0x186230*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x186230*, lpNumberOfBytesWritten=0x2d8f034*=0x4, lpOverlapped=0x0) returned 1 [0041.433] CloseHandle (hObject=0x208) returned 1 [0041.434] GetProcessHeap () returned 0x4e0000 [0041.434] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x400) returned 0x5306d0 [0041.434] wnsprintfW (in: pszDest=0x5306d0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\osetup.dll_forv_{KNUJ5K}.for") returned 95 [0041.434] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\osetup.dll" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\osetup.dll"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\osetup.dll_forv_{KNUJ5K}.for" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\osetup.dll_forv_{knuj5k}.for")) returned 1 [0041.434] GetProcessHeap () returned 0x4e0000 [0041.434] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x5306d0 | out: hHeap=0x4e0000) returned 1 [0041.434] FindNextFileW (in: hFindFile=0x535b20, lpFindFileData=0x2d8f070 | out: lpFindFileData=0x2d8f070*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xc9c380f0, ftCreationTime.dwHighDateTime=0x1cb12b3, ftLastAccessTime.dwLowDateTime=0xc9c380f0, ftLastAccessTime.dwHighDateTime=0x1cb12b3, ftLastWriteTime.dwLowDateTime=0x465d00f0, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x228df5c, dwReserved0=0x0, dwReserved1=0x0, cFileName="OWOW32WW.cab", cAlternateFileName="")) returned 1 [0041.434] lstrcmpiW (lpString1="OWOW32WW.cab", lpString2="Windows") returned -1 [0041.434] lstrcmpiW (lpString1="OWOW32WW.cab", lpString2="$Recycle.bin") returned 1 [0041.434] lstrcmpiW (lpString1="OWOW32WW.cab", lpString2="System Volume Information") returned -1 [0041.434] lstrcmpiW (lpString1="OWOW32WW.cab", lpString2="Program Files") returned -1 [0041.434] lstrcmpiW (lpString1="OWOW32WW.cab", lpString2="Program Files (x86)") returned -1 [0041.434] wnsprintfW (in: pszDest=0x5354c0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab") returned 79 [0041.434] StrStrIW (lpFirst="OWOW32WW.cab", lpSrch=".for") returned 0x0 [0041.434] lstrcmpW (lpString1="OWOW32WW.cab", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0041.434] lstrcmpW (lpString1="OWOW32WW.cab", lpString2="taridd") returned -1 [0041.434] StrCmpNW (lpStr1="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab", lpStr2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\3pRMMVYZl7L6YCH05Qf1aBB2Nvhrv3", nChar=122) returned -1 [0041.434] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\owow32ww.cab"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x208 [0041.435] GetTickCount () returned 0x1144d75 [0041.435] GetTickCount () returned 0x1144d75 [0041.435] GetTickCount () returned 0x1144d75 [0041.435] GetTickCount () returned 0x1144d75 [0041.435] CryptEncrypt (in: hKey=0x4ff5a8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d8ef80*, pdwDataLen=0x2d8f030*=0x2c, dwBufLen=0x80 | out: pbData=0x2d8ef80*, pdwDataLen=0x2d8f030*=0x80) returned 1 [0041.435] GetProcessHeap () returned 0x4e0000 [0041.435] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x2800) returned 0x5064d8 [0041.435] ReadFile (in: hFile=0x208, lpBuffer=0x5064d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x5064d8*, lpNumberOfBytesRead=0x2d8f034*=0x2800, lpOverlapped=0x0) returned 1 [0041.438] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0041.438] WriteFile (in: hFile=0x208, lpBuffer=0x5064d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x5064d8*, lpNumberOfBytesWritten=0x2d8f034*=0x2800, lpOverlapped=0x0) returned 1 [0041.439] GetProcessHeap () returned 0x4e0000 [0041.439] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x5064d8 | out: hHeap=0x4e0000) returned 1 [0041.439] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0041.439] WriteFile (in: hFile=0x208, lpBuffer=0x4ffe10*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x4ffe10*, lpNumberOfBytesWritten=0x2d8f034*=0x300, lpOverlapped=0x0) returned 1 [0041.441] WriteFile (in: hFile=0x208, lpBuffer=0x2d8ef80*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x2d8ef80*, lpNumberOfBytesWritten=0x2d8f034*=0x80, lpOverlapped=0x0) returned 1 [0041.441] WriteFile (in: hFile=0x208, lpBuffer=0x186230*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x186230*, lpNumberOfBytesWritten=0x2d8f034*=0x4, lpOverlapped=0x0) returned 1 [0041.441] CloseHandle (hObject=0x208) returned 1 [0041.441] GetProcessHeap () returned 0x4e0000 [0041.441] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x400) returned 0x5306d0 [0041.441] wnsprintfW (in: pszDest=0x5306d0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab_forv_{KNUJ5K}.for") returned 97 [0041.441] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\owow32ww.cab"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab_forv_{KNUJ5K}.for" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\owow32ww.cab_forv_{knuj5k}.for")) returned 1 [0041.442] GetProcessHeap () returned 0x4e0000 [0041.442] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x5306d0 | out: hHeap=0x4e0000) returned 1 [0041.442] FindNextFileW (in: hFindFile=0x535b20, lpFindFileData=0x2d8f070 | out: lpFindFileData=0x2d8f070*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xe7c66670, ftCreationTime.dwHighDateTime=0x1cb0ee5, ftLastAccessTime.dwLowDateTime=0xe7c66670, ftLastAccessTime.dwHighDateTime=0x1cb0ee5, ftLastWriteTime.dwLowDateTime=0x4a6ac100, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x165510, dwReserved0=0x0, dwReserved1=0x0, cFileName="PidGenX.dll", cAlternateFileName="")) returned 1 [0041.442] lstrcmpiW (lpString1="PidGenX.dll", lpString2="Windows") returned -1 [0041.442] lstrcmpiW (lpString1="PidGenX.dll", lpString2="$Recycle.bin") returned 1 [0041.442] lstrcmpiW (lpString1="PidGenX.dll", lpString2="System Volume Information") returned -1 [0041.442] lstrcmpiW (lpString1="PidGenX.dll", lpString2="Program Files") returned -1 [0041.442] lstrcmpiW (lpString1="PidGenX.dll", lpString2="Program Files (x86)") returned -1 [0041.442] wnsprintfW (in: pszDest=0x5354c0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\PidGenX.dll") returned 78 [0041.442] StrStrIW (lpFirst="PidGenX.dll", lpSrch=".for") returned 0x0 [0041.442] lstrcmpW (lpString1="PidGenX.dll", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0041.442] lstrcmpW (lpString1="PidGenX.dll", lpString2="taridd") returned -1 [0041.442] StrCmpNW (lpStr1="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\PidGenX.dll", lpStr2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\3pRMMVYZl7L6YCH05Qf1aBB2Nvhrv3", nChar=122) returned -1 [0041.442] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\PidGenX.dll" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\pidgenx.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x208 [0041.442] GetTickCount () returned 0x1144d75 [0041.442] GetTickCount () returned 0x1144d75 [0041.442] GetTickCount () returned 0x1144d75 [0041.442] GetTickCount () returned 0x1144d75 [0041.442] CryptEncrypt (in: hKey=0x4ff5a8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d8ef80*, pdwDataLen=0x2d8f030*=0x2c, dwBufLen=0x80 | out: pbData=0x2d8ef80*, pdwDataLen=0x2d8f030*=0x80) returned 1 [0041.442] GetProcessHeap () returned 0x4e0000 [0041.442] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x2800) returned 0x5064d8 [0041.442] ReadFile (in: hFile=0x208, lpBuffer=0x5064d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x5064d8*, lpNumberOfBytesRead=0x2d8f034*=0x2800, lpOverlapped=0x0) returned 1 [0041.444] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0041.444] WriteFile (in: hFile=0x208, lpBuffer=0x5064d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x5064d8*, lpNumberOfBytesWritten=0x2d8f034*=0x2800, lpOverlapped=0x0) returned 1 [0041.444] GetProcessHeap () returned 0x4e0000 [0041.444] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x5064d8 | out: hHeap=0x4e0000) returned 1 [0041.444] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0041.444] WriteFile (in: hFile=0x208, lpBuffer=0x4ffe10*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x4ffe10*, lpNumberOfBytesWritten=0x2d8f034*=0x300, lpOverlapped=0x0) returned 1 [0041.446] WriteFile (in: hFile=0x208, lpBuffer=0x2d8ef80*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x2d8ef80*, lpNumberOfBytesWritten=0x2d8f034*=0x80, lpOverlapped=0x0) returned 1 [0041.446] WriteFile (in: hFile=0x208, lpBuffer=0x186230*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x186230*, lpNumberOfBytesWritten=0x2d8f034*=0x4, lpOverlapped=0x0) returned 1 [0041.446] CloseHandle (hObject=0x208) returned 1 [0041.447] GetProcessHeap () returned 0x4e0000 [0041.447] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x400) returned 0x5306d0 [0041.447] wnsprintfW (in: pszDest=0x5306d0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\PidGenX.dll_forv_{KNUJ5K}.for") returned 96 [0041.447] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\PidGenX.dll" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\pidgenx.dll"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\PidGenX.dll_forv_{KNUJ5K}.for" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\pidgenx.dll_forv_{knuj5k}.for")) returned 1 [0041.447] GetProcessHeap () returned 0x4e0000 [0041.447] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x5306d0 | out: hHeap=0x4e0000) returned 1 [0041.447] FindNextFileW (in: hFindFile=0x535b20, lpFindFileData=0x2d8f070 | out: lpFindFileData=0x2d8f070*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x95261510, ftCreationTime.dwHighDateTime=0x1cb048a, ftLastAccessTime.dwLowDateTime=0x95261510, ftLastAccessTime.dwHighDateTime=0x1cb048a, ftLastWriteTime.dwLowDateTime=0x4a6ac100, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0xaec3a, dwReserved0=0x0, dwReserved1=0x0, cFileName="pkeyconfig-office.xrm-ms", cAlternateFileName="PKEYCO~1.XRM")) returned 1 [0041.447] lstrcmpiW (lpString1="pkeyconfig-office.xrm-ms", lpString2="Windows") returned -1 [0041.447] lstrcmpiW (lpString1="pkeyconfig-office.xrm-ms", lpString2="$Recycle.bin") returned 1 [0041.447] lstrcmpiW (lpString1="pkeyconfig-office.xrm-ms", lpString2="System Volume Information") returned -1 [0041.447] lstrcmpiW (lpString1="pkeyconfig-office.xrm-ms", lpString2="Program Files") returned -1 [0041.447] lstrcmpiW (lpString1="pkeyconfig-office.xrm-ms", lpString2="Program Files (x86)") returned -1 [0041.447] wnsprintfW (in: pszDest=0x5354c0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms") returned 91 [0041.447] StrStrIW (lpFirst="pkeyconfig-office.xrm-ms", lpSrch=".for") returned 0x0 [0041.447] lstrcmpW (lpString1="pkeyconfig-office.xrm-ms", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0041.447] lstrcmpW (lpString1="pkeyconfig-office.xrm-ms", lpString2="taridd") returned -1 [0041.447] StrCmpNW (lpStr1="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms", lpStr2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\3pRMMVYZl7L6YCH05Qf1aBB2Nvhrv3", nChar=122) returned -1 [0041.448] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\pkeyconfig-office.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x208 [0041.448] GetTickCount () returned 0x1144d75 [0041.448] GetTickCount () returned 0x1144d75 [0041.448] GetTickCount () returned 0x1144d75 [0041.448] GetTickCount () returned 0x1144d75 [0041.448] CryptEncrypt (in: hKey=0x4ff5a8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d8ef80*, pdwDataLen=0x2d8f030*=0x2c, dwBufLen=0x80 | out: pbData=0x2d8ef80*, pdwDataLen=0x2d8f030*=0x80) returned 1 [0041.448] GetProcessHeap () returned 0x4e0000 [0041.448] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x2800) returned 0x5064d8 [0041.448] ReadFile (in: hFile=0x208, lpBuffer=0x5064d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x5064d8*, lpNumberOfBytesRead=0x2d8f034*=0x2800, lpOverlapped=0x0) returned 1 [0041.450] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0041.450] WriteFile (in: hFile=0x208, lpBuffer=0x5064d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x5064d8*, lpNumberOfBytesWritten=0x2d8f034*=0x2800, lpOverlapped=0x0) returned 1 [0041.450] GetProcessHeap () returned 0x4e0000 [0041.450] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x5064d8 | out: hHeap=0x4e0000) returned 1 [0041.450] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0041.450] WriteFile (in: hFile=0x208, lpBuffer=0x4ffe10*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x4ffe10*, lpNumberOfBytesWritten=0x2d8f034*=0x300, lpOverlapped=0x0) returned 1 [0041.452] WriteFile (in: hFile=0x208, lpBuffer=0x2d8ef80*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x2d8ef80*, lpNumberOfBytesWritten=0x2d8f034*=0x80, lpOverlapped=0x0) returned 1 [0041.452] WriteFile (in: hFile=0x208, lpBuffer=0x186230*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x186230*, lpNumberOfBytesWritten=0x2d8f034*=0x4, lpOverlapped=0x0) returned 1 [0041.452] CloseHandle (hObject=0x208) returned 1 [0041.452] GetProcessHeap () returned 0x4e0000 [0041.452] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x400) returned 0x5306d0 [0041.452] wnsprintfW (in: pszDest=0x5306d0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms_forv_{KNUJ5K}.for") returned 109 [0041.453] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\pkeyconfig-office.xrm-ms"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms_forv_{KNUJ5K}.for" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\pkeyconfig-office.xrm-ms_forv_{knuj5k}.for")) returned 1 [0041.453] GetProcessHeap () returned 0x4e0000 [0041.453] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x5306d0 | out: hHeap=0x4e0000) returned 1 [0041.453] FindNextFileW (in: hFindFile=0x535b20, lpFindFileData=0x2d8f070 | out: lpFindFileData=0x2d8f070*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xeb7e7af0, ftCreationTime.dwHighDateTime=0x1cb04a9, ftLastAccessTime.dwLowDateTime=0xeb7e7af0, ftLastAccessTime.dwHighDateTime=0x1cb04a9, ftLastWriteTime.dwLowDateTime=0x49c691c0, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x150578, dwReserved0=0x0, dwReserved1=0x0, cFileName="setup.exe", cAlternateFileName="")) returned 1 [0041.453] lstrcmpiW (lpString1="setup.exe", lpString2="Windows") returned -1 [0041.453] lstrcmpiW (lpString1="setup.exe", lpString2="$Recycle.bin") returned 1 [0041.453] lstrcmpiW (lpString1="setup.exe", lpString2="System Volume Information") returned -1 [0041.453] lstrcmpiW (lpString1="setup.exe", lpString2="Program Files") returned 1 [0041.453] lstrcmpiW (lpString1="setup.exe", lpString2="Program Files (x86)") returned 1 [0041.453] wnsprintfW (in: pszDest=0x5354c0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\setup.exe") returned 76 [0041.453] StrStrIW (lpFirst="setup.exe", lpSrch=".for") returned 0x0 [0041.453] lstrcmpW (lpString1="setup.exe", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0041.453] lstrcmpW (lpString1="setup.exe", lpString2="taridd") returned -1 [0041.453] StrCmpNW (lpStr1="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\setup.exe", lpStr2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\3pRMMVYZl7L6YCH05Qf1aBB2Nvhrv3", nChar=122) returned -1 [0041.453] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\setup.exe" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\setup.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x208 [0041.454] GetTickCount () returned 0x1144d85 [0041.454] GetTickCount () returned 0x1144d85 [0041.454] GetTickCount () returned 0x1144d85 [0041.454] GetTickCount () returned 0x1144d85 [0041.454] CryptEncrypt (in: hKey=0x4ff5a8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d8ef80*, pdwDataLen=0x2d8f030*=0x2c, dwBufLen=0x80 | out: pbData=0x2d8ef80*, pdwDataLen=0x2d8f030*=0x80) returned 1 [0041.454] GetProcessHeap () returned 0x4e0000 [0041.454] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x2800) returned 0x5064d8 [0041.454] ReadFile (in: hFile=0x208, lpBuffer=0x5064d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x5064d8*, lpNumberOfBytesRead=0x2d8f034*=0x2800, lpOverlapped=0x0) returned 1 [0041.456] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0041.456] WriteFile (in: hFile=0x208, lpBuffer=0x5064d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x5064d8*, lpNumberOfBytesWritten=0x2d8f034*=0x2800, lpOverlapped=0x0) returned 1 [0041.456] GetProcessHeap () returned 0x4e0000 [0041.456] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x5064d8 | out: hHeap=0x4e0000) returned 1 [0041.456] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0041.457] WriteFile (in: hFile=0x208, lpBuffer=0x4ffe10*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x4ffe10*, lpNumberOfBytesWritten=0x2d8f034*=0x300, lpOverlapped=0x0) returned 1 [0041.460] WriteFile (in: hFile=0x208, lpBuffer=0x2d8ef80*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x2d8ef80*, lpNumberOfBytesWritten=0x2d8f034*=0x80, lpOverlapped=0x0) returned 1 [0041.461] WriteFile (in: hFile=0x208, lpBuffer=0x186230*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x186230*, lpNumberOfBytesWritten=0x2d8f034*=0x4, lpOverlapped=0x0) returned 1 [0041.461] CloseHandle (hObject=0x208) returned 1 [0041.461] GetProcessHeap () returned 0x4e0000 [0041.461] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x400) returned 0x5306d0 [0041.461] wnsprintfW (in: pszDest=0x5306d0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\setup.exe_forv_{KNUJ5K}.for") returned 94 [0041.461] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\setup.exe" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\setup.exe"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\setup.exe_forv_{KNUJ5K}.for" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\setup.exe_forv_{knuj5k}.for")) returned 1 [0041.461] GetProcessHeap () returned 0x4e0000 [0041.461] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x5306d0 | out: hHeap=0x4e0000) returned 1 [0041.461] FindNextFileW (in: hFindFile=0x535b20, lpFindFileData=0x2d8f070 | out: lpFindFileData=0x2d8f070*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x80aa51d0, ftCreationTime.dwHighDateTime=0x1cb1486, ftLastAccessTime.dwLowDateTime=0x80aa51d0, ftLastAccessTime.dwHighDateTime=0x1cb1486, ftLastWriteTime.dwLowDateTime=0x4a6d3200, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x5061, dwReserved0=0x0, dwReserved1=0x0, cFileName="Setup.xml", cAlternateFileName="")) returned 1 [0041.461] lstrcmpiW (lpString1="Setup.xml", lpString2="Windows") returned -1 [0041.461] lstrcmpiW (lpString1="Setup.xml", lpString2="$Recycle.bin") returned 1 [0041.461] lstrcmpiW (lpString1="Setup.xml", lpString2="System Volume Information") returned -1 [0041.461] lstrcmpiW (lpString1="Setup.xml", lpString2="Program Files") returned 1 [0041.461] lstrcmpiW (lpString1="Setup.xml", lpString2="Program Files (x86)") returned 1 [0041.461] wnsprintfW (in: pszDest=0x5354c0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Setup.xml") returned 76 [0041.461] StrStrIW (lpFirst="Setup.xml", lpSrch=".for") returned 0x0 [0041.462] lstrcmpW (lpString1="Setup.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0041.462] lstrcmpW (lpString1="Setup.xml", lpString2="taridd") returned -1 [0041.462] StrCmpNW (lpStr1="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Setup.xml", lpStr2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\3pRMMVYZl7L6YCH05Qf1aBB2Nvhrv3", nChar=122) returned -1 [0041.462] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x208 [0041.462] GetTickCount () returned 0x1144d85 [0041.462] GetTickCount () returned 0x1144d85 [0041.462] GetTickCount () returned 0x1144d85 [0041.462] GetTickCount () returned 0x1144d85 [0041.462] CryptEncrypt (in: hKey=0x4ff5a8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d8ef80*, pdwDataLen=0x2d8f030*=0x2c, dwBufLen=0x80 | out: pbData=0x2d8ef80*, pdwDataLen=0x2d8f030*=0x80) returned 1 [0041.462] GetProcessHeap () returned 0x4e0000 [0041.462] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x2800) returned 0x5064d8 [0041.462] ReadFile (in: hFile=0x208, lpBuffer=0x5064d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x5064d8*, lpNumberOfBytesRead=0x2d8f034*=0x2800, lpOverlapped=0x0) returned 1 [0041.473] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0041.473] WriteFile (in: hFile=0x208, lpBuffer=0x5064d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x5064d8*, lpNumberOfBytesWritten=0x2d8f034*=0x2800, lpOverlapped=0x0) returned 1 [0041.473] GetProcessHeap () returned 0x4e0000 [0041.473] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x5064d8 | out: hHeap=0x4e0000) returned 1 [0041.474] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0041.474] WriteFile (in: hFile=0x208, lpBuffer=0x4ffe10*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x4ffe10*, lpNumberOfBytesWritten=0x2d8f034*=0x300, lpOverlapped=0x0) returned 1 [0041.474] WriteFile (in: hFile=0x208, lpBuffer=0x2d8ef80*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x2d8ef80*, lpNumberOfBytesWritten=0x2d8f034*=0x80, lpOverlapped=0x0) returned 1 [0041.474] WriteFile (in: hFile=0x208, lpBuffer=0x186230*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x186230*, lpNumberOfBytesWritten=0x2d8f034*=0x4, lpOverlapped=0x0) returned 1 [0041.474] CloseHandle (hObject=0x208) returned 1 [0041.474] GetProcessHeap () returned 0x4e0000 [0041.474] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x400) returned 0x5306d0 [0041.474] wnsprintfW (in: pszDest=0x5306d0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Setup.xml_forv_{KNUJ5K}.for") returned 94 [0041.474] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\setup.xml"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Setup.xml_forv_{KNUJ5K}.for" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\setup.xml_forv_{knuj5k}.for")) returned 1 [0041.474] GetProcessHeap () returned 0x4e0000 [0041.474] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x5306d0 | out: hHeap=0x4e0000) returned 1 [0041.475] FindNextFileW (in: hFindFile=0x535b20, lpFindFileData=0x2d8f070 | out: lpFindFileData=0x2d8f070*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x749b0240, ftCreationTime.dwHighDateTime=0x1cb1486, ftLastAccessTime.dwLowDateTime=0x749b0240, ftLastAccessTime.dwHighDateTime=0x1cb1486, ftLastWriteTime.dwLowDateTime=0x46a46a30, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0xb9fa2f7, dwReserved0=0x0, dwReserved1=0x0, cFileName="VisiorWW.cab", cAlternateFileName="")) returned 1 [0041.475] lstrcmpiW (lpString1="VisiorWW.cab", lpString2="Windows") returned -1 [0041.475] lstrcmpiW (lpString1="VisiorWW.cab", lpString2="$Recycle.bin") returned 1 [0041.475] lstrcmpiW (lpString1="VisiorWW.cab", lpString2="System Volume Information") returned 1 [0041.475] lstrcmpiW (lpString1="VisiorWW.cab", lpString2="Program Files") returned 1 [0041.475] lstrcmpiW (lpString1="VisiorWW.cab", lpString2="Program Files (x86)") returned 1 [0041.475] wnsprintfW (in: pszDest=0x5354c0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.cab") returned 79 [0041.475] StrStrIW (lpFirst="VisiorWW.cab", lpSrch=".for") returned 0x0 [0041.475] lstrcmpW (lpString1="VisiorWW.cab", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0041.475] lstrcmpW (lpString1="VisiorWW.cab", lpString2="taridd") returned 1 [0041.475] StrCmpNW (lpStr1="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.cab", lpStr2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\3pRMMVYZl7L6YCH05Qf1aBB2Nvhrv3", nChar=122) returned -1 [0041.475] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.cab" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\visiorww.cab"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x208 [0041.478] GetTickCount () returned 0x1144d94 [0041.478] GetTickCount () returned 0x1144d94 [0041.478] GetTickCount () returned 0x1144d94 [0041.478] GetTickCount () returned 0x1144d94 [0041.478] CryptEncrypt (in: hKey=0x4ff5a8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d8ef80*, pdwDataLen=0x2d8f030*=0x2c, dwBufLen=0x80 | out: pbData=0x2d8ef80*, pdwDataLen=0x2d8f030*=0x80) returned 1 [0041.478] GetProcessHeap () returned 0x4e0000 [0041.478] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x2800) returned 0x5064d8 [0041.478] ReadFile (in: hFile=0x208, lpBuffer=0x5064d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x5064d8*, lpNumberOfBytesRead=0x2d8f034*=0x2800, lpOverlapped=0x0) returned 1 [0041.485] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0041.485] WriteFile (in: hFile=0x208, lpBuffer=0x5064d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x5064d8*, lpNumberOfBytesWritten=0x2d8f034*=0x2800, lpOverlapped=0x0) returned 1 [0041.485] GetProcessHeap () returned 0x4e0000 [0041.485] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x5064d8 | out: hHeap=0x4e0000) returned 1 [0041.485] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0041.485] WriteFile (in: hFile=0x208, lpBuffer=0x4ffe10*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x4ffe10*, lpNumberOfBytesWritten=0x2d8f034*=0x300, lpOverlapped=0x0) returned 1 [0041.501] WriteFile (in: hFile=0x208, lpBuffer=0x2d8ef80*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x2d8ef80*, lpNumberOfBytesWritten=0x2d8f034*=0x80, lpOverlapped=0x0) returned 1 [0041.501] WriteFile (in: hFile=0x208, lpBuffer=0x186230*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x186230*, lpNumberOfBytesWritten=0x2d8f034*=0x4, lpOverlapped=0x0) returned 1 [0041.501] CloseHandle (hObject=0x208) returned 1 [0041.501] GetProcessHeap () returned 0x4e0000 [0041.501] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x400) returned 0x5306d0 [0041.501] wnsprintfW (in: pszDest=0x5306d0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.cab_forv_{KNUJ5K}.for") returned 97 [0041.501] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.cab" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\visiorww.cab"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.cab_forv_{KNUJ5K}.for" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\visiorww.cab_forv_{knuj5k}.for")) returned 1 [0041.502] GetProcessHeap () returned 0x4e0000 [0041.502] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x5306d0 | out: hHeap=0x4e0000) returned 1 [0041.502] FindNextFileW (in: hFindFile=0x535b20, lpFindFileData=0x2d8f070 | out: lpFindFileData=0x2d8f070*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x80711960, ftCreationTime.dwHighDateTime=0x1cb1486, ftLastAccessTime.dwLowDateTime=0x80711960, ftLastAccessTime.dwHighDateTime=0x1cb1486, ftLastWriteTime.dwLowDateTime=0x468ee660, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0xb80800, dwReserved0=0x0, dwReserved1=0x0, cFileName="VisiorWW.msi", cAlternateFileName="")) returned 1 [0041.502] lstrcmpiW (lpString1="VisiorWW.msi", lpString2="Windows") returned -1 [0041.502] lstrcmpiW (lpString1="VisiorWW.msi", lpString2="$Recycle.bin") returned 1 [0041.502] lstrcmpiW (lpString1="VisiorWW.msi", lpString2="System Volume Information") returned 1 [0041.502] lstrcmpiW (lpString1="VisiorWW.msi", lpString2="Program Files") returned 1 [0041.502] lstrcmpiW (lpString1="VisiorWW.msi", lpString2="Program Files (x86)") returned 1 [0041.502] wnsprintfW (in: pszDest=0x5354c0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.msi") returned 79 [0041.502] StrStrIW (lpFirst="VisiorWW.msi", lpSrch=".for") returned 0x0 [0041.502] lstrcmpW (lpString1="VisiorWW.msi", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0041.502] lstrcmpW (lpString1="VisiorWW.msi", lpString2="taridd") returned 1 [0041.502] StrCmpNW (lpStr1="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.msi", lpStr2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\3pRMMVYZl7L6YCH05Qf1aBB2Nvhrv3", nChar=122) returned -1 [0041.502] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.msi" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\visiorww.msi"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x208 [0041.502] GetTickCount () returned 0x1144db3 [0041.502] GetTickCount () returned 0x1144db3 [0041.502] GetTickCount () returned 0x1144db3 [0041.502] GetTickCount () returned 0x1144db3 [0041.502] CryptEncrypt (in: hKey=0x4ff5a8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d8ef80*, pdwDataLen=0x2d8f030*=0x2c, dwBufLen=0x80 | out: pbData=0x2d8ef80*, pdwDataLen=0x2d8f030*=0x80) returned 1 [0041.502] GetProcessHeap () returned 0x4e0000 [0041.502] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x2800) returned 0x5064d8 [0041.502] ReadFile (in: hFile=0x208, lpBuffer=0x5064d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x5064d8*, lpNumberOfBytesRead=0x2d8f034*=0x2800, lpOverlapped=0x0) returned 1 [0041.505] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0041.505] WriteFile (in: hFile=0x208, lpBuffer=0x5064d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x5064d8*, lpNumberOfBytesWritten=0x2d8f034*=0x2800, lpOverlapped=0x0) returned 1 [0041.505] GetProcessHeap () returned 0x4e0000 [0041.505] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x5064d8 | out: hHeap=0x4e0000) returned 1 [0041.505] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0041.505] WriteFile (in: hFile=0x208, lpBuffer=0x4ffe10*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x4ffe10*, lpNumberOfBytesWritten=0x2d8f034*=0x300, lpOverlapped=0x0) returned 1 [0041.507] WriteFile (in: hFile=0x208, lpBuffer=0x2d8ef80*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x2d8ef80*, lpNumberOfBytesWritten=0x2d8f034*=0x80, lpOverlapped=0x0) returned 1 [0041.507] WriteFile (in: hFile=0x208, lpBuffer=0x186230*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x186230*, lpNumberOfBytesWritten=0x2d8f034*=0x4, lpOverlapped=0x0) returned 1 [0041.507] CloseHandle (hObject=0x208) returned 1 [0041.507] GetProcessHeap () returned 0x4e0000 [0041.507] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x400) returned 0x5306d0 [0041.507] wnsprintfW (in: pszDest=0x5306d0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.msi_forv_{KNUJ5K}.for") returned 97 [0041.507] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.msi" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\visiorww.msi"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.msi_forv_{KNUJ5K}.for" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\visiorww.msi_forv_{knuj5k}.for")) returned 1 [0041.508] GetProcessHeap () returned 0x4e0000 [0041.508] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x5306d0 | out: hHeap=0x4e0000) returned 1 [0041.508] FindNextFileW (in: hFindFile=0x535b20, lpFindFileData=0x2d8f070 | out: lpFindFileData=0x2d8f070*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x80b17dc0, ftCreationTime.dwHighDateTime=0x1cb1486, ftLastAccessTime.dwLowDateTime=0x80b17dc0, ftLastAccessTime.dwHighDateTime=0x1cb1486, ftLastWriteTime.dwLowDateTime=0x468a2b70, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x2213, dwReserved0=0x0, dwReserved1=0x0, cFileName="VisiorWW.xml", cAlternateFileName="")) returned 1 [0041.508] lstrcmpiW (lpString1="VisiorWW.xml", lpString2="Windows") returned -1 [0041.508] lstrcmpiW (lpString1="VisiorWW.xml", lpString2="$Recycle.bin") returned 1 [0041.508] lstrcmpiW (lpString1="VisiorWW.xml", lpString2="System Volume Information") returned 1 [0041.508] lstrcmpiW (lpString1="VisiorWW.xml", lpString2="Program Files") returned 1 [0041.508] lstrcmpiW (lpString1="VisiorWW.xml", lpString2="Program Files (x86)") returned 1 [0041.508] wnsprintfW (in: pszDest=0x5354c0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.xml") returned 79 [0041.508] StrStrIW (lpFirst="VisiorWW.xml", lpSrch=".for") returned 0x0 [0041.508] lstrcmpW (lpString1="VisiorWW.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0041.508] lstrcmpW (lpString1="VisiorWW.xml", lpString2="taridd") returned 1 [0041.508] StrCmpNW (lpStr1="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.xml", lpStr2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\3pRMMVYZl7L6YCH05Qf1aBB2Nvhrv3", nChar=122) returned -1 [0041.508] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.xml" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\visiorww.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x208 [0041.508] GetTickCount () returned 0x1144db3 [0041.508] GetTickCount () returned 0x1144db3 [0041.508] GetTickCount () returned 0x1144db3 [0041.508] GetTickCount () returned 0x1144db3 [0041.508] CryptEncrypt (in: hKey=0x4ff5a8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d8ef80*, pdwDataLen=0x2d8f030*=0x2c, dwBufLen=0x80 | out: pbData=0x2d8ef80*, pdwDataLen=0x2d8f030*=0x80) returned 1 [0041.509] GetProcessHeap () returned 0x4e0000 [0041.509] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x2800) returned 0x5064d8 [0041.509] ReadFile (in: hFile=0x208, lpBuffer=0x5064d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x5064d8*, lpNumberOfBytesRead=0x2d8f034*=0x2213, lpOverlapped=0x0) returned 1 [0041.510] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0xffffdded, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0041.510] WriteFile (in: hFile=0x208, lpBuffer=0x5064d8*, nNumberOfBytesToWrite=0x2213, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x5064d8*, lpNumberOfBytesWritten=0x2d8f034*=0x2213, lpOverlapped=0x0) returned 1 [0041.510] GetProcessHeap () returned 0x4e0000 [0041.510] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x5064d8 | out: hHeap=0x4e0000) returned 1 [0041.510] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0041.510] WriteFile (in: hFile=0x208, lpBuffer=0x4ffe10*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x4ffe10*, lpNumberOfBytesWritten=0x2d8f034*=0x300, lpOverlapped=0x0) returned 1 [0041.511] WriteFile (in: hFile=0x208, lpBuffer=0x2d8ef80*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x2d8ef80*, lpNumberOfBytesWritten=0x2d8f034*=0x80, lpOverlapped=0x0) returned 1 [0041.511] WriteFile (in: hFile=0x208, lpBuffer=0x186230*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x186230*, lpNumberOfBytesWritten=0x2d8f034*=0x4, lpOverlapped=0x0) returned 1 [0041.511] CloseHandle (hObject=0x208) returned 1 [0041.511] GetProcessHeap () returned 0x4e0000 [0041.511] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x400) returned 0x5306d0 [0041.511] wnsprintfW (in: pszDest=0x5306d0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.xml_forv_{KNUJ5K}.for") returned 97 [0041.511] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.xml" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\visiorww.xml"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.xml_forv_{KNUJ5K}.for" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\visiorww.xml_forv_{knuj5k}.for")) returned 1 [0041.511] GetProcessHeap () returned 0x4e0000 [0041.511] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x5306d0 | out: hHeap=0x4e0000) returned 1 [0041.511] FindNextFileW (in: hFindFile=0x535b20, lpFindFileData=0x2d8f070 | out: lpFindFileData=0x2d8f070*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x80b17dc0, ftCreationTime.dwHighDateTime=0x1cb1486, ftLastAccessTime.dwLowDateTime=0x80b17dc0, ftLastAccessTime.dwHighDateTime=0x1cb1486, ftLastWriteTime.dwLowDateTime=0x468a2b70, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x2213, dwReserved0=0x0, dwReserved1=0x0, cFileName="VisiorWW.xml", cAlternateFileName="")) returned 0 [0041.512] FindClose (in: hFindFile=0x535b20 | out: hFindFile=0x535b20) returned 1 [0041.512] wnsprintfW (in: pszDest=0x5354c0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 98 [0041.512] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x150 [0041.512] WriteFile (in: hFile=0x150, lpBuffer=0x186440*, nNumberOfBytesToWrite=0x2b0, lpNumberOfBytesWritten=0x2d8f03c, lpOverlapped=0x0 | out: lpBuffer=0x186440*, lpNumberOfBytesWritten=0x2d8f03c*=0x2b0, lpOverlapped=0x0) returned 1 [0041.513] CloseHandle (hObject=0x150) returned 1 [0041.513] GetProcessHeap () returned 0x4e0000 [0041.513] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x5354c0 | out: hHeap=0x4e0000) returned 1 [0041.513] FindNextFileW (in: hFindFile=0x535ae0, lpFindFileData=0x2d8f2f8 | out: lpFindFileData=0x2d8f2f8*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0x46538340, ftCreationTime.dwHighDateTime=0x1d305eb, ftLastAccessTime.dwLowDateTime=0x4a6d41a0, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x4a6d41a0, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="{91140000-0057-0000-1000-0000000FF1CE}-C", cAlternateFileName="{91140~2")) returned 0 [0041.513] FindClose (in: hFindFile=0x535ae0 | out: hFindFile=0x535ae0) returned 1 [0041.513] wnsprintfW (in: pszDest=0x542af8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 57 [0041.513] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\msocache\\all users\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x140 [0041.513] WriteFile (in: hFile=0x140, lpBuffer=0x186440*, nNumberOfBytesToWrite=0x2b0, lpNumberOfBytesWritten=0x2d8f2c4, lpOverlapped=0x0 | out: lpBuffer=0x186440*, lpNumberOfBytesWritten=0x2d8f2c4*=0x2b0, lpOverlapped=0x0) returned 1 [0041.514] CloseHandle (hObject=0x140) returned 1 [0041.514] GetProcessHeap () returned 0x4e0000 [0041.514] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x542af8 | out: hHeap=0x4e0000) returned 1 [0041.514] FindNextFileW (in: hFindFile=0x535aa0, lpFindFileData=0x2d8f580 | out: lpFindFileData=0x2d8f580*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xe7b42810, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xa5cd3a40, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xa5cd3a40, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="All Users", cAlternateFileName="ALLUSE~1")) returned 0 [0041.514] FindClose (in: hFindFile=0x535aa0 | out: hFindFile=0x535aa0) returned 1 [0041.514] wnsprintfW (in: pszDest=0x511b40, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 47 [0041.514] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\msocache\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x148 [0041.515] WriteFile (in: hFile=0x148, lpBuffer=0x186440*, nNumberOfBytesToWrite=0x2b0, lpNumberOfBytesWritten=0x2d8f54c, lpOverlapped=0x0 | out: lpBuffer=0x186440*, lpNumberOfBytesWritten=0x2d8f54c*=0x2b0, lpOverlapped=0x0) returned 1 [0041.516] CloseHandle (hObject=0x148) returned 1 [0041.516] GetProcessHeap () returned 0x4e0000 [0041.516] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x511b40 | out: hHeap=0x4e0000) returned 1 [0041.516] FindNextFileW (in: hFindFile=0x535960, lpFindFileData=0x2d8f808 | out: lpFindFileData=0x2d8f808*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x563d4b80, ftCreationTime.dwHighDateTime=0x1d2de2a, ftLastAccessTime.dwLowDateTime=0x563d4b80, ftLastAccessTime.dwHighDateTime=0x1d2de2a, ftLastWriteTime.dwLowDateTime=0x814762c0, ftLastWriteTime.dwHighDateTime=0x1d4d5ae, nFileSizeHigh=0x0, nFileSizeLow=0x7ff7c000, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="pagefile.sys", cAlternateFileName="")) returned 1 [0041.516] lstrcmpiW (lpString1="pagefile.sys", lpString2="Windows") returned -1 [0041.516] lstrcmpiW (lpString1="pagefile.sys", lpString2="$Recycle.bin") returned 1 [0041.516] lstrcmpiW (lpString1="pagefile.sys", lpString2="System Volume Information") returned -1 [0041.516] lstrcmpiW (lpString1="pagefile.sys", lpString2="Program Files") returned -1 [0041.516] lstrcmpiW (lpString1="pagefile.sys", lpString2="Program Files (x86)") returned -1 [0041.516] wnsprintfW (in: pszDest=0x53f5e0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\pagefile.sys") returned 19 [0041.516] StrStrIW (lpFirst="pagefile.sys", lpSrch=".for") returned 0x0 [0041.516] lstrcmpW (lpString1="pagefile.sys", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0041.516] lstrcmpW (lpString1="pagefile.sys", lpString2="taridd") returned -1 [0041.516] StrCmpNW (lpStr1="\\\\?\\C:\\pagefile.sys", lpStr2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\3pRMMVYZl7L6YCH05Qf1aBB2Nvhrv3", nChar=122) returned -1 [0041.516] CreateFileW (lpFileName="\\\\?\\C:\\pagefile.sys" (normalized: "c:\\pagefile.sys"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0041.516] FindNextFileW (in: hFindFile=0x535960, lpFindFileData=0x2d8f808 | out: lpFindFileData=0x2d8f808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd72e458, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd72e458, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd72e458, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="PerfLogs", cAlternateFileName="")) returned 1 [0041.516] lstrcmpiW (lpString1="PerfLogs", lpString2="Windows") returned -1 [0041.516] lstrcmpiW (lpString1="PerfLogs", lpString2="$Recycle.bin") returned 1 [0041.516] lstrcmpiW (lpString1="PerfLogs", lpString2="System Volume Information") returned -1 [0041.516] lstrcmpiW (lpString1="PerfLogs", lpString2="Program Files") returned -1 [0041.516] lstrcmpiW (lpString1="PerfLogs", lpString2="Program Files (x86)") returned -1 [0041.516] wnsprintfW (in: pszDest=0x53f5e0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\PerfLogs") returned 15 [0041.516] lstrcmpW (lpString1="PerfLogs", lpString2=".") returned 1 [0041.517] lstrcmpW (lpString1="PerfLogs", lpString2="..") returned 1 [0041.517] lstrcmpW (lpString1="\\\\?\\C:\\PerfLogs", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0041.517] GetProcessHeap () returned 0x4e0000 [0041.517] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x400) returned 0x5354c0 [0041.517] wnsprintfW (in: pszDest=0x5354c0, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\PerfLogs\\*") returned 17 [0041.517] FindFirstFileW (in: lpFileName="\\\\?\\C:\\PerfLogs\\*", lpFindFileData=0x2d8f580 | out: lpFindFileData=0x2d8f580*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd72e458, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd72e458, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd72e458, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x535aa0 [0041.517] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0041.517] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0041.517] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0041.517] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0041.517] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0041.517] wnsprintfW (in: pszDest=0x5354c0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\PerfLogs\\.") returned 17 [0041.517] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0041.517] FindNextFileW (in: hFindFile=0x535aa0, lpFindFileData=0x2d8f580 | out: lpFindFileData=0x2d8f580*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd72e458, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd72e458, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd72e458, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0041.517] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0041.517] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0041.517] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0041.517] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0041.517] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0041.517] wnsprintfW (in: pszDest=0x5354c0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\PerfLogs\\..") returned 18 [0041.517] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0041.517] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0041.517] FindNextFileW (in: hFindFile=0x535aa0, lpFindFileData=0x2d8f580 | out: lpFindFileData=0x2d8f580*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd72e458, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd72e458, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xbbba4afc, ftLastWriteTime.dwHighDateTime=0x1ca042b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Admin", cAlternateFileName="")) returned 1 [0041.517] lstrcmpiW (lpString1="Admin", lpString2="Windows") returned -1 [0041.517] lstrcmpiW (lpString1="Admin", lpString2="$Recycle.bin") returned 1 [0041.517] lstrcmpiW (lpString1="Admin", lpString2="System Volume Information") returned -1 [0041.518] lstrcmpiW (lpString1="Admin", lpString2="Program Files") returned -1 [0041.518] lstrcmpiW (lpString1="Admin", lpString2="Program Files (x86)") returned -1 [0041.518] wnsprintfW (in: pszDest=0x5354c0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\PerfLogs\\Admin") returned 21 [0041.518] lstrcmpW (lpString1="Admin", lpString2=".") returned 1 [0041.518] lstrcmpW (lpString1="Admin", lpString2="..") returned 1 [0041.518] lstrcmpW (lpString1="\\\\?\\C:\\PerfLogs\\Admin", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0041.518] GetProcessHeap () returned 0x4e0000 [0041.518] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x400) returned 0x511b40 [0041.518] wnsprintfW (in: pszDest=0x511b40, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\PerfLogs\\Admin\\*") returned 23 [0041.518] FindFirstFileW (in: lpFileName="\\\\?\\C:\\PerfLogs\\Admin\\*", lpFindFileData=0x2d8f2f8 | out: lpFindFileData=0x2d8f2f8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd72e458, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd72e458, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xbbba4afc, ftLastWriteTime.dwHighDateTime=0x1ca042b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x535ae0 [0041.518] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0041.518] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0041.518] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0041.518] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0041.518] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0041.518] wnsprintfW (in: pszDest=0x511b40, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\PerfLogs\\Admin\\.") returned 23 [0041.518] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0041.518] FindNextFileW (in: hFindFile=0x535ae0, lpFindFileData=0x2d8f2f8 | out: lpFindFileData=0x2d8f2f8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd72e458, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd72e458, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xbbba4afc, ftLastWriteTime.dwHighDateTime=0x1ca042b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0041.518] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0041.518] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0041.518] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0041.518] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0041.518] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0041.518] wnsprintfW (in: pszDest=0x511b40, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\PerfLogs\\Admin\\..") returned 24 [0041.518] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0041.518] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0041.518] FindNextFileW (in: hFindFile=0x535ae0, lpFindFileData=0x2d8f2f8 | out: lpFindFileData=0x2d8f2f8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd72e458, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd72e458, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xbbba4afc, ftLastWriteTime.dwHighDateTime=0x1ca042b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0 [0041.518] FindClose (in: hFindFile=0x535ae0 | out: hFindFile=0x535ae0) returned 1 [0041.519] wnsprintfW (in: pszDest=0x511b40, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\PerfLogs\\Admin\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 53 [0041.519] CreateFileW (lpFileName="\\\\?\\C:\\PerfLogs\\Admin\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\perflogs\\admin\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x140 [0041.519] WriteFile (in: hFile=0x140, lpBuffer=0x186440*, nNumberOfBytesToWrite=0x2b0, lpNumberOfBytesWritten=0x2d8f2c4, lpOverlapped=0x0 | out: lpBuffer=0x186440*, lpNumberOfBytesWritten=0x2d8f2c4*=0x2b0, lpOverlapped=0x0) returned 1 [0041.520] CloseHandle (hObject=0x140) returned 1 [0041.520] GetProcessHeap () returned 0x4e0000 [0041.520] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x511b40 | out: hHeap=0x4e0000) returned 1 [0041.520] FindNextFileW (in: hFindFile=0x535aa0, lpFindFileData=0x2d8f580 | out: lpFindFileData=0x2d8f580*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd72e458, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd72e458, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xbbba4afc, ftLastWriteTime.dwHighDateTime=0x1ca042b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Admin", cAlternateFileName="")) returned 0 [0041.520] FindClose (in: hFindFile=0x535aa0 | out: hFindFile=0x535aa0) returned 1 [0041.520] wnsprintfW (in: pszDest=0x5354c0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\PerfLogs\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 47 [0041.520] CreateFileW (lpFileName="\\\\?\\C:\\PerfLogs\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\perflogs\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x148 [0041.520] WriteFile (in: hFile=0x148, lpBuffer=0x186440*, nNumberOfBytesToWrite=0x2b0, lpNumberOfBytesWritten=0x2d8f54c, lpOverlapped=0x0 | out: lpBuffer=0x186440*, lpNumberOfBytesWritten=0x2d8f54c*=0x2b0, lpOverlapped=0x0) returned 1 [0041.521] CloseHandle (hObject=0x148) returned 1 [0041.521] GetProcessHeap () returned 0x4e0000 [0041.521] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x5354c0 | out: hHeap=0x4e0000) returned 1 [0041.521] FindNextFileW (in: hFindFile=0x535960, lpFindFileData=0x2d8f808 | out: lpFindFileData=0x2d8f808*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfd72e458, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x30363f50, ftLastAccessTime.dwHighDateTime=0x1d593ef, ftLastWriteTime.dwLowDateTime=0x30363f50, ftLastWriteTime.dwHighDateTime=0x1d593ef, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Program Files", cAlternateFileName="PROGRA~1")) returned 1 [0041.521] lstrcmpiW (lpString1="Program Files", lpString2="Windows") returned -1 [0041.521] lstrcmpiW (lpString1="Program Files", lpString2="$Recycle.bin") returned 1 [0041.521] lstrcmpiW (lpString1="Program Files", lpString2="System Volume Information") returned -1 [0041.521] lstrcmpiW (lpString1="Program Files", lpString2="Program Files") returned 0 [0041.521] FindNextFileW (in: hFindFile=0x535960, lpFindFileData=0x2d8f808 | out: lpFindFileData=0x2d8f808*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfd8ab1dc, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x10f11a30, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x10f11a30, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Program Files (x86)", cAlternateFileName="PROGRA~2")) returned 1 [0041.521] lstrcmpiW (lpString1="Program Files (x86)", lpString2="Windows") returned -1 [0041.521] lstrcmpiW (lpString1="Program Files (x86)", lpString2="$Recycle.bin") returned 1 [0041.521] lstrcmpiW (lpString1="Program Files (x86)", lpString2="System Volume Information") returned -1 [0041.521] lstrcmpiW (lpString1="Program Files (x86)", lpString2="Program Files") returned 1 [0041.521] lstrcmpiW (lpString1="Program Files (x86)", lpString2="Program Files (x86)") returned 0 [0041.521] FindNextFileW (in: hFindFile=0x535960, lpFindFileData=0x2d8f808 | out: lpFindFileData=0x2d8f808*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0xfd943744, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x803771e0, ftLastAccessTime.dwHighDateTime=0x1d2e627, ftLastWriteTime.dwLowDateTime=0x803771e0, ftLastWriteTime.dwHighDateTime=0x1d2e627, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="ProgramData", cAlternateFileName="PROGRA~3")) returned 1 [0041.521] lstrcmpiW (lpString1="ProgramData", lpString2="Windows") returned -1 [0041.522] lstrcmpiW (lpString1="ProgramData", lpString2="$Recycle.bin") returned 1 [0041.522] lstrcmpiW (lpString1="ProgramData", lpString2="System Volume Information") returned -1 [0041.522] lstrcmpiW (lpString1="ProgramData", lpString2="Program Files") returned 1 [0041.522] lstrcmpiW (lpString1="ProgramData", lpString2="Program Files (x86)") returned 1 [0041.522] wnsprintfW (in: pszDest=0x53f5e0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData") returned 18 [0041.522] lstrcmpW (lpString1="ProgramData", lpString2=".") returned 1 [0041.522] lstrcmpW (lpString1="ProgramData", lpString2="..") returned 1 [0041.522] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0041.522] GetProcessHeap () returned 0x4e0000 [0041.522] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x400) returned 0x5354c0 [0041.522] wnsprintfW (in: pszDest=0x5354c0, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\*") returned 20 [0041.522] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\*", lpFindFileData=0x2d8f580 | out: lpFindFileData=0x2d8f580*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0xfd943744, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x803771e0, ftLastAccessTime.dwHighDateTime=0x1d2e627, ftLastWriteTime.dwLowDateTime=0x803771e0, ftLastWriteTime.dwHighDateTime=0x1d2e627, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x535aa0 [0041.522] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0041.522] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0041.522] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0041.522] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0041.522] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0041.522] wnsprintfW (in: pszDest=0x5354c0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\.") returned 20 [0041.522] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0041.522] StrStrIW (lpFirst=".", lpSrch=".for") returned 0x0 [0041.522] lstrcmpW (lpString1=".", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned -1 [0041.522] lstrcmpW (lpString1=".", lpString2="taridd") returned -1 [0041.522] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\.", lpStr2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\3pRMMVYZl7L6YCH05Qf1aBB2Nvhrv3", nChar=122) returned -1 [0041.522] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\." (normalized: "c:\\programdata\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0041.522] FindNextFileW (in: hFindFile=0x535aa0, lpFindFileData=0x2d8f580 | out: lpFindFileData=0x2d8f580*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0xfd943744, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x803771e0, ftLastAccessTime.dwHighDateTime=0x1d2e627, ftLastWriteTime.dwLowDateTime=0x803771e0, ftLastWriteTime.dwHighDateTime=0x1d2e627, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0041.522] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0041.522] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0041.522] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0041.522] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0041.522] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0041.522] wnsprintfW (in: pszDest=0x5354c0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\..") returned 21 [0041.523] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0041.523] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0041.523] StrStrIW (lpFirst="..", lpSrch=".for") returned 0x0 [0041.523] lstrcmpW (lpString1="..", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned -1 [0041.523] lstrcmpW (lpString1="..", lpString2="taridd") returned -1 [0041.523] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\..", lpStr2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\3pRMMVYZl7L6YCH05Qf1aBB2Nvhrv3", nChar=122) returned -1 [0041.523] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\.." (normalized: "c:"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0041.523] FindNextFileW (in: hFindFile=0x535aa0, lpFindFileData=0x2d8f580 | out: lpFindFileData=0x2d8f580*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8000ce40, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xe4efbbe0, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xe4efbbe0, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Adobe", cAlternateFileName="")) returned 1 [0041.523] lstrcmpiW (lpString1="Adobe", lpString2="Windows") returned -1 [0041.523] lstrcmpiW (lpString1="Adobe", lpString2="$Recycle.bin") returned 1 [0041.523] lstrcmpiW (lpString1="Adobe", lpString2="System Volume Information") returned -1 [0041.523] lstrcmpiW (lpString1="Adobe", lpString2="Program Files") returned -1 [0041.523] lstrcmpiW (lpString1="Adobe", lpString2="Program Files (x86)") returned -1 [0041.523] wnsprintfW (in: pszDest=0x5354c0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Adobe") returned 24 [0041.523] lstrcmpW (lpString1="Adobe", lpString2=".") returned 1 [0041.523] lstrcmpW (lpString1="Adobe", lpString2="..") returned 1 [0041.523] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Adobe", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0041.523] GetProcessHeap () returned 0x4e0000 [0041.523] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x400) returned 0x511b40 [0041.523] wnsprintfW (in: pszDest=0x511b40, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Adobe\\*") returned 26 [0041.523] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Adobe\\*", lpFindFileData=0x2d8f2f8 | out: lpFindFileData=0x2d8f2f8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8000ce40, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xe4efbbe0, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xe4efbbe0, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x535ae0 [0041.523] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0041.523] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0041.523] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0041.523] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0041.523] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0041.523] wnsprintfW (in: pszDest=0x511b40, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Adobe\\.") returned 26 [0041.523] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0041.523] FindNextFileW (in: hFindFile=0x535ae0, lpFindFileData=0x2d8f2f8 | out: lpFindFileData=0x2d8f2f8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8000ce40, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xe4efbbe0, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xe4efbbe0, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0041.524] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0041.524] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0041.524] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0041.524] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0041.524] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0041.524] wnsprintfW (in: pszDest=0x511b40, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Adobe\\..") returned 27 [0041.524] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0041.524] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0041.524] FindNextFileW (in: hFindFile=0x535ae0, lpFindFileData=0x2d8f2f8 | out: lpFindFileData=0x2d8f2f8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8000ce40, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0x8000ce40, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x8000ce40, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Acrobat", cAlternateFileName="")) returned 1 [0041.524] lstrcmpiW (lpString1="Acrobat", lpString2="Windows") returned -1 [0041.524] lstrcmpiW (lpString1="Acrobat", lpString2="$Recycle.bin") returned 1 [0041.524] lstrcmpiW (lpString1="Acrobat", lpString2="System Volume Information") returned -1 [0041.524] lstrcmpiW (lpString1="Acrobat", lpString2="Program Files") returned -1 [0041.524] lstrcmpiW (lpString1="Acrobat", lpString2="Program Files (x86)") returned -1 [0041.524] wnsprintfW (in: pszDest=0x511b40, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Adobe\\Acrobat") returned 32 [0041.524] lstrcmpW (lpString1="Acrobat", lpString2=".") returned 1 [0041.524] lstrcmpW (lpString1="Acrobat", lpString2="..") returned 1 [0041.524] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Adobe\\Acrobat", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0041.524] GetProcessHeap () returned 0x4e0000 [0041.524] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x400) returned 0x542af8 [0041.524] wnsprintfW (in: pszDest=0x542af8, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Adobe\\Acrobat\\*") returned 34 [0041.524] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Adobe\\Acrobat\\*", lpFindFileData=0x2d8f070 | out: lpFindFileData=0x2d8f070*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8000ce40, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0x8000ce40, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x8000ce40, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x535b20 [0041.524] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0041.524] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0041.524] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0041.524] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0041.524] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0041.524] wnsprintfW (in: pszDest=0x542af8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Adobe\\Acrobat\\.") returned 34 [0041.524] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0041.524] FindNextFileW (in: hFindFile=0x535b20, lpFindFileData=0x2d8f070 | out: lpFindFileData=0x2d8f070*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8000ce40, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0x8000ce40, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x8000ce40, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0041.524] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0041.525] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0041.525] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0041.525] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0041.525] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0041.525] wnsprintfW (in: pszDest=0x542af8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Adobe\\Acrobat\\..") returned 35 [0041.525] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0041.525] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0041.525] FindNextFileW (in: hFindFile=0x535b20, lpFindFileData=0x2d8f070 | out: lpFindFileData=0x2d8f070*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8000ce40, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0x8000ce40, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x8000ce40, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="10.0", cAlternateFileName="")) returned 1 [0041.525] lstrcmpiW (lpString1="10.0", lpString2="Windows") returned -1 [0041.525] lstrcmpiW (lpString1="10.0", lpString2="$Recycle.bin") returned 1 [0041.525] lstrcmpiW (lpString1="10.0", lpString2="System Volume Information") returned -1 [0041.525] lstrcmpiW (lpString1="10.0", lpString2="Program Files") returned -1 [0041.525] lstrcmpiW (lpString1="10.0", lpString2="Program Files (x86)") returned -1 [0041.525] wnsprintfW (in: pszDest=0x542af8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Adobe\\Acrobat\\10.0") returned 37 [0041.525] lstrcmpW (lpString1="10.0", lpString2=".") returned 1 [0041.525] lstrcmpW (lpString1="10.0", lpString2="..") returned 1 [0041.525] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Adobe\\Acrobat\\10.0", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0041.525] GetProcessHeap () returned 0x4e0000 [0041.525] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x400) returned 0x5306d0 [0041.525] wnsprintfW (in: pszDest=0x5306d0, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Adobe\\Acrobat\\10.0\\*") returned 39 [0041.525] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Adobe\\Acrobat\\10.0\\*", lpFindFileData=0x2d8ede8 | out: lpFindFileData=0x2d8ede8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8000ce40, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0x8000ce40, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x8000ce40, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5306c8, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x535b60 [0041.525] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0041.525] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0041.525] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0041.525] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0041.525] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0041.525] wnsprintfW (in: pszDest=0x5306d0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Adobe\\Acrobat\\10.0\\.") returned 39 [0041.525] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0041.525] FindNextFileW (in: hFindFile=0x535b60, lpFindFileData=0x2d8ede8 | out: lpFindFileData=0x2d8ede8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8000ce40, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0x8000ce40, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x8000ce40, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5306c8, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0041.525] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0041.525] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0041.525] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0041.525] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0041.526] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0041.526] wnsprintfW (in: pszDest=0x5306d0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Adobe\\Acrobat\\10.0\\..") returned 40 [0041.526] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0041.526] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0041.526] FindNextFileW (in: hFindFile=0x535b60, lpFindFileData=0x2d8ede8 | out: lpFindFileData=0x2d8ede8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8000ce40, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0x8000ce40, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x8000ce40, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5306c8, dwReserved1=0x0, cFileName="Replicate", cAlternateFileName="REPLIC~1")) returned 1 [0041.526] lstrcmpiW (lpString1="Replicate", lpString2="Windows") returned -1 [0041.526] lstrcmpiW (lpString1="Replicate", lpString2="$Recycle.bin") returned 1 [0041.526] lstrcmpiW (lpString1="Replicate", lpString2="System Volume Information") returned -1 [0041.526] lstrcmpiW (lpString1="Replicate", lpString2="Program Files") returned 1 [0041.526] lstrcmpiW (lpString1="Replicate", lpString2="Program Files (x86)") returned 1 [0041.526] wnsprintfW (in: pszDest=0x5306d0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Adobe\\Acrobat\\10.0\\Replicate") returned 47 [0041.526] lstrcmpW (lpString1="Replicate", lpString2=".") returned 1 [0041.526] lstrcmpW (lpString1="Replicate", lpString2="..") returned 1 [0041.526] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Adobe\\Acrobat\\10.0\\Replicate", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0041.526] GetProcessHeap () returned 0x4e0000 [0041.526] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x400) returned 0x543228 [0041.526] wnsprintfW (in: pszDest=0x543228, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Adobe\\Acrobat\\10.0\\Replicate\\*") returned 49 [0041.526] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Adobe\\Acrobat\\10.0\\Replicate\\*", lpFindFileData=0x2d8eb60 | out: lpFindFileData=0x2d8eb60*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8000ce40, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0x8000ce40, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x8000ce40, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5064d8, dwReserved1=0x771791c9, cFileName=".", cAlternateFileName="")) returned 0x535ba0 [0041.669] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0041.670] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0041.670] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0041.671] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0041.671] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0041.672] wnsprintfW (in: pszDest=0x543228, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Adobe\\Acrobat\\10.0\\Replicate\\.") returned 49 [0041.672] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0041.673] FindNextFileW (in: hFindFile=0x535ba0, lpFindFileData=0x2d8eb60 | out: lpFindFileData=0x2d8eb60*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8000ce40, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0x8000ce40, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x8000ce40, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5064d8, dwReserved1=0x771791c9, cFileName="..", cAlternateFileName="")) returned 1 [0041.674] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0041.674] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0041.674] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0041.675] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0041.676] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0041.676] wnsprintfW (in: pszDest=0x543228, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Adobe\\Acrobat\\10.0\\Replicate\\..") returned 50 [0041.677] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0041.677] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0041.678] FindNextFileW (in: hFindFile=0x535ba0, lpFindFileData=0x2d8eb60 | out: lpFindFileData=0x2d8eb60*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8000ce40, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0x8000ce40, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x8000ce40, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5064d8, dwReserved1=0x771791c9, cFileName="Security", cAlternateFileName="")) returned 1 [0041.678] lstrcmpiW (lpString1="Security", lpString2="Windows") returned -1 [0041.678] lstrcmpiW (lpString1="Security", lpString2="$Recycle.bin") returned 1 [0041.679] lstrcmpiW (lpString1="Security", lpString2="System Volume Information") returned -1 [0041.680] lstrcmpiW (lpString1="Security", lpString2="Program Files") returned 1 [0041.680] lstrcmpiW (lpString1="Security", lpString2="Program Files (x86)") returned 1 [0041.681] wnsprintfW (in: pszDest=0x543228, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Adobe\\Acrobat\\10.0\\Replicate\\Security") returned 56 [0041.683] lstrcmpW (lpString1="Security", lpString2=".") returned 1 [0041.684] lstrcmpW (lpString1="Security", lpString2="..") returned 1 [0041.685] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Adobe\\Acrobat\\10.0\\Replicate\\Security", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0041.686] GetProcessHeap () returned 0x4e0000 [0041.686] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x400) returned 0x543630 [0041.687] wnsprintfW (in: pszDest=0x543630, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Adobe\\Acrobat\\10.0\\Replicate\\Security\\*") returned 58 [0041.688] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Adobe\\Acrobat\\10.0\\Replicate\\Security\\*", lpFindFileData=0x2d8e8d8 | out: lpFindFileData=0x2d8e8d8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8000ce40, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0x8000ce40, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x8000ce40, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x2d8eb38, dwReserved1=0x80, cFileName=".", cAlternateFileName="")) returned 0x535be0 [0041.694] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0041.694] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0041.695] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0041.695] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0041.696] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0041.697] wnsprintfW (in: pszDest=0x543630, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Adobe\\Acrobat\\10.0\\Replicate\\Security\\.") returned 58 [0041.698] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0041.698] FindNextFileW (in: hFindFile=0x535be0, lpFindFileData=0x2d8e8d8 | out: lpFindFileData=0x2d8e8d8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8000ce40, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0x8000ce40, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x8000ce40, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x2d8eb38, dwReserved1=0x80, cFileName="..", cAlternateFileName="")) returned 1 [0041.701] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0041.702] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0041.702] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0041.702] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0041.703] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0041.703] wnsprintfW (in: pszDest=0x543630, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Adobe\\Acrobat\\10.0\\Replicate\\Security\\..") returned 59 [0041.705] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0041.705] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0041.706] FindNextFileW (in: hFindFile=0x535be0, lpFindFileData=0x2d8e8d8 | out: lpFindFileData=0x2d8e8d8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x93de7300, ftCreationTime.dwHighDateTime=0x1cb84b4, ftLastAccessTime.dwLowDateTime=0x8000ce40, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x93de7300, ftLastWriteTime.dwHighDateTime=0x1cb84b4, nFileSizeHigh=0x0, nFileSizeLow=0x1df, dwReserved0=0x2d8eb38, dwReserved1=0x80, cFileName="directories.acrodata", cAlternateFileName="DIRECT~1.ACR")) returned 1 [0041.707] lstrcmpiW (lpString1="directories.acrodata", lpString2="Windows") returned -1 [0041.707] lstrcmpiW (lpString1="directories.acrodata", lpString2="$Recycle.bin") returned 1 [0041.708] lstrcmpiW (lpString1="directories.acrodata", lpString2="System Volume Information") returned -1 [0041.709] lstrcmpiW (lpString1="directories.acrodata", lpString2="Program Files") returned -1 [0041.710] lstrcmpiW (lpString1="directories.acrodata", lpString2="Program Files (x86)") returned -1 [0041.710] wnsprintfW (in: pszDest=0x543630, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Adobe\\Acrobat\\10.0\\Replicate\\Security\\directories.acrodata") returned 77 [0041.711] StrStrIW (lpFirst="directories.acrodata", lpSrch=".for") returned 0x0 [0041.712] lstrcmpW (lpString1="directories.acrodata", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0041.714] lstrcmpW (lpString1="directories.acrodata", lpString2="taridd") returned -1 [0041.715] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Adobe\\Acrobat\\10.0\\Replicate\\Security\\directories.acrodata", lpStr2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\3pRMMVYZl7L6YCH05Qf1aBB2Nvhrv3", nChar=122) returned -1 [0041.715] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Adobe\\Acrobat\\10.0\\Replicate\\Security\\directories.acrodata" (normalized: "c:\\programdata\\adobe\\acrobat\\10.0\\replicate\\security\\directories.acrodata"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x20c [0041.719] GetTickCount () returned 0x1144e8e [0041.719] GetTickCount () returned 0x1144e8e [0041.722] GetTickCount () returned 0x1144e8e [0041.723] GetTickCount () returned 0x1144e8e [0041.724] CryptEncrypt (in: hKey=0x4ff5a8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d8e7e8*, pdwDataLen=0x2d8e898*=0x2c, dwBufLen=0x80 | out: pbData=0x2d8e7e8*, pdwDataLen=0x2d8e898*=0x80) returned 1 [0041.728] GetProcessHeap () returned 0x4e0000 [0041.728] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x2800) returned 0x5441a8 [0041.735] ReadFile (in: hFile=0x20c, lpBuffer=0x5441a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2d8e89c, lpOverlapped=0x0 | out: lpBuffer=0x5441a8*, lpNumberOfBytesRead=0x2d8e89c*=0x1df, lpOverlapped=0x0) returned 1 [0041.750] SetFilePointerEx (in: hFile=0x20c, liDistanceToMove=0xfffffe21, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0041.752] WriteFile (in: hFile=0x20c, lpBuffer=0x5441a8*, nNumberOfBytesToWrite=0x1df, lpNumberOfBytesWritten=0x2d8e89c, lpOverlapped=0x0 | out: lpBuffer=0x5441a8*, lpNumberOfBytesWritten=0x2d8e89c*=0x1df, lpOverlapped=0x0) returned 1 [0041.754] GetProcessHeap () returned 0x4e0000 [0041.754] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x5441a8 | out: hHeap=0x4e0000) returned 1 [0041.755] SetFilePointerEx (in: hFile=0x20c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0041.756] WriteFile (in: hFile=0x20c, lpBuffer=0x4ffe10*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x2d8e89c, lpOverlapped=0x0 | out: lpBuffer=0x4ffe10*, lpNumberOfBytesWritten=0x2d8e89c*=0x300, lpOverlapped=0x0) returned 1 [0041.760] WriteFile (in: hFile=0x20c, lpBuffer=0x2d8e7e8*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x2d8e89c, lpOverlapped=0x0 | out: lpBuffer=0x2d8e7e8*, lpNumberOfBytesWritten=0x2d8e89c*=0x80, lpOverlapped=0x0) returned 1 [0041.763] WriteFile (in: hFile=0x20c, lpBuffer=0x186230*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2d8e89c, lpOverlapped=0x0 | out: lpBuffer=0x186230*, lpNumberOfBytesWritten=0x2d8e89c*=0x4, lpOverlapped=0x0) returned 1 [0041.765] CloseHandle (hObject=0x20c) returned 1 [0041.768] GetProcessHeap () returned 0x4e0000 [0041.768] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x400) returned 0x543a38 [0041.769] wnsprintfW (in: pszDest=0x543a38, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Adobe\\Acrobat\\10.0\\Replicate\\Security\\directories.acrodata_forv_{KNUJ5K}.for") returned 95 [0041.769] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Adobe\\Acrobat\\10.0\\Replicate\\Security\\directories.acrodata" (normalized: "c:\\programdata\\adobe\\acrobat\\10.0\\replicate\\security\\directories.acrodata"), lpNewFileName="\\\\?\\C:\\ProgramData\\Adobe\\Acrobat\\10.0\\Replicate\\Security\\directories.acrodata_forv_{KNUJ5K}.for" (normalized: "c:\\programdata\\adobe\\acrobat\\10.0\\replicate\\security\\directories.acrodata_forv_{knuj5k}.for")) returned 1 [0041.778] GetProcessHeap () returned 0x4e0000 [0041.779] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x543a38 | out: hHeap=0x4e0000) returned 1 [0041.779] FindNextFileW (in: hFindFile=0x535be0, lpFindFileData=0x2d8e8d8 | out: lpFindFileData=0x2d8e8d8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x93de7300, ftCreationTime.dwHighDateTime=0x1cb84b4, ftLastAccessTime.dwLowDateTime=0x8000ce40, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x93de7300, ftLastWriteTime.dwHighDateTime=0x1cb84b4, nFileSizeHigh=0x0, nFileSizeLow=0x1df, dwReserved0=0x2d8eb38, dwReserved1=0x80, cFileName="directories.acrodata", cAlternateFileName="DIRECT~1.ACR")) returned 0 [0041.781] FindClose (in: hFindFile=0x535be0 | out: hFindFile=0x535be0) returned 1 [0041.782] wnsprintfW (in: pszDest=0x543630, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Adobe\\Acrobat\\10.0\\Replicate\\Security\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 88 [0041.783] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Adobe\\Acrobat\\10.0\\Replicate\\Security\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\adobe\\acrobat\\10.0\\replicate\\security\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x210 [0041.788] WriteFile (in: hFile=0x210, lpBuffer=0x186440*, nNumberOfBytesToWrite=0x2b0, lpNumberOfBytesWritten=0x2d8e8a4, lpOverlapped=0x0 | out: lpBuffer=0x186440*, lpNumberOfBytesWritten=0x2d8e8a4*=0x2b0, lpOverlapped=0x0) returned 1 [0041.804] CloseHandle (hObject=0x210) returned 1 [0041.807] GetProcessHeap () returned 0x4e0000 [0041.808] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x543630 | out: hHeap=0x4e0000) returned 1 [0041.808] FindNextFileW (in: hFindFile=0x535ba0, lpFindFileData=0x2d8eb60 | out: lpFindFileData=0x2d8eb60*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8000ce40, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0x8000ce40, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x8000ce40, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5064d8, dwReserved1=0x771791c9, cFileName="Security", cAlternateFileName="")) returned 0 [0041.810] FindClose (in: hFindFile=0x535ba0 | out: hFindFile=0x535ba0) returned 1 [0041.811] wnsprintfW (in: pszDest=0x543228, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Adobe\\Acrobat\\10.0\\Replicate\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 79 [0041.812] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Adobe\\Acrobat\\10.0\\Replicate\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\adobe\\acrobat\\10.0\\replicate\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x204 [0041.817] WriteFile (in: hFile=0x204, lpBuffer=0x186440*, nNumberOfBytesToWrite=0x2b0, lpNumberOfBytesWritten=0x2d8eb2c, lpOverlapped=0x0 | out: lpBuffer=0x186440*, lpNumberOfBytesWritten=0x2d8eb2c*=0x2b0, lpOverlapped=0x0) returned 1 [0041.832] CloseHandle (hObject=0x204) returned 1 [0041.835] GetProcessHeap () returned 0x4e0000 [0042.188] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x543228 | out: hHeap=0x4e0000) returned 1 [0042.188] FindNextFileW (in: hFindFile=0x535b60, lpFindFileData=0x2d8ede8 | out: lpFindFileData=0x2d8ede8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8000ce40, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0x8000ce40, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x8000ce40, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5306c8, dwReserved1=0x0, cFileName="Replicate", cAlternateFileName="REPLIC~1")) returned 0 [0042.188] FindClose (in: hFindFile=0x535b60 | out: hFindFile=0x535b60) returned 1 [0042.189] wnsprintfW (in: pszDest=0x5306d0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Adobe\\Acrobat\\10.0\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 69 [0042.189] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Adobe\\Acrobat\\10.0\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\adobe\\acrobat\\10.0\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x208 [0042.189] WriteFile (in: hFile=0x208, lpBuffer=0x186440*, nNumberOfBytesToWrite=0x2b0, lpNumberOfBytesWritten=0x2d8edb4, lpOverlapped=0x0 | out: lpBuffer=0x186440*, lpNumberOfBytesWritten=0x2d8edb4*=0x2b0, lpOverlapped=0x0) returned 1 [0042.190] CloseHandle (hObject=0x208) returned 1 [0042.190] GetProcessHeap () returned 0x4e0000 [0042.190] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x5306d0 | out: hHeap=0x4e0000) returned 1 [0042.190] FindNextFileW (in: hFindFile=0x535b20, lpFindFileData=0x2d8f070 | out: lpFindFileData=0x2d8f070*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8000ce40, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0x8000ce40, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x8000ce40, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="10.0", cAlternateFileName="")) returned 0 [0042.190] FindClose (in: hFindFile=0x535b20 | out: hFindFile=0x535b20) returned 1 [0042.190] wnsprintfW (in: pszDest=0x542af8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Adobe\\Acrobat\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 64 [0042.190] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Adobe\\Acrobat\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\adobe\\acrobat\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x150 [0042.190] WriteFile (in: hFile=0x150, lpBuffer=0x186440*, nNumberOfBytesToWrite=0x2b0, lpNumberOfBytesWritten=0x2d8f03c, lpOverlapped=0x0 | out: lpBuffer=0x186440*, lpNumberOfBytesWritten=0x2d8f03c*=0x2b0, lpOverlapped=0x0) returned 1 [0042.191] CloseHandle (hObject=0x150) returned 1 [0042.191] GetProcessHeap () returned 0x4e0000 [0042.191] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x542af8 | out: hHeap=0x4e0000) returned 1 [0042.191] FindNextFileW (in: hFindFile=0x535ae0, lpFindFileData=0x2d8f2f8 | out: lpFindFileData=0x2d8f2f8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xe4efbbe0, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xe4efbbe0, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xe4efbbe0, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ARM", cAlternateFileName="")) returned 1 [0042.191] lstrcmpiW (lpString1="ARM", lpString2="Windows") returned -1 [0042.191] lstrcmpiW (lpString1="ARM", lpString2="$Recycle.bin") returned 1 [0042.191] lstrcmpiW (lpString1="ARM", lpString2="System Volume Information") returned -1 [0042.191] lstrcmpiW (lpString1="ARM", lpString2="Program Files") returned -1 [0042.192] lstrcmpiW (lpString1="ARM", lpString2="Program Files (x86)") returned -1 [0042.192] wnsprintfW (in: pszDest=0x511b40, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Adobe\\ARM") returned 28 [0042.192] lstrcmpW (lpString1="ARM", lpString2=".") returned 1 [0042.192] lstrcmpW (lpString1="ARM", lpString2="..") returned 1 [0042.192] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Adobe\\ARM", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0042.192] GetProcessHeap () returned 0x4e0000 [0042.192] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x400) returned 0x542af8 [0042.192] wnsprintfW (in: pszDest=0x542af8, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Adobe\\ARM\\*") returned 30 [0042.192] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Adobe\\ARM\\*", lpFindFileData=0x2d8f070 | out: lpFindFileData=0x2d8f070*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xe4efbbe0, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xe4efbbe0, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xe4efbbe0, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x535b20 [0042.192] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0042.192] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0042.192] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0042.192] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0042.192] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0042.192] wnsprintfW (in: pszDest=0x542af8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Adobe\\ARM\\.") returned 30 [0042.192] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0042.192] FindNextFileW (in: hFindFile=0x535b20, lpFindFileData=0x2d8f070 | out: lpFindFileData=0x2d8f070*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xe4efbbe0, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xe4efbbe0, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xe4efbbe0, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0042.192] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0042.192] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0042.192] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0042.192] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0042.192] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0042.192] wnsprintfW (in: pszDest=0x542af8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Adobe\\ARM\\..") returned 31 [0042.192] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0042.192] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0042.192] FindNextFileW (in: hFindFile=0x535b20, lpFindFileData=0x2d8f070 | out: lpFindFileData=0x2d8f070*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe4efbbe0, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xf2028d90, ftLastAccessTime.dwHighDateTime=0x1d2ddf4, ftLastWriteTime.dwLowDateTime=0xf2028d90, ftLastWriteTime.dwHighDateTime=0x1d2ddf4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Reader_10.0.0", cAlternateFileName="READER~1.0")) returned 1 [0042.193] lstrcmpiW (lpString1="Reader_10.0.0", lpString2="Windows") returned -1 [0042.193] lstrcmpiW (lpString1="Reader_10.0.0", lpString2="$Recycle.bin") returned 1 [0042.193] lstrcmpiW (lpString1="Reader_10.0.0", lpString2="System Volume Information") returned -1 [0042.193] lstrcmpiW (lpString1="Reader_10.0.0", lpString2="Program Files") returned 1 [0042.193] lstrcmpiW (lpString1="Reader_10.0.0", lpString2="Program Files (x86)") returned 1 [0042.193] wnsprintfW (in: pszDest=0x542af8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Adobe\\ARM\\Reader_10.0.0") returned 42 [0042.193] lstrcmpW (lpString1="Reader_10.0.0", lpString2=".") returned 1 [0042.193] lstrcmpW (lpString1="Reader_10.0.0", lpString2="..") returned 1 [0042.193] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Adobe\\ARM\\Reader_10.0.0", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0042.193] GetProcessHeap () returned 0x4e0000 [0042.193] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x400) returned 0x5306d0 [0042.193] wnsprintfW (in: pszDest=0x5306d0, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Adobe\\ARM\\Reader_10.0.0\\*") returned 44 [0042.193] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Adobe\\ARM\\Reader_10.0.0\\*", lpFindFileData=0x2d8ede8 | out: lpFindFileData=0x2d8ede8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe4efbbe0, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xf2028d90, ftLastAccessTime.dwHighDateTime=0x1d2ddf4, ftLastWriteTime.dwLowDateTime=0xf2028d90, ftLastWriteTime.dwHighDateTime=0x1d2ddf4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5306c8, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x535b60 [0042.207] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0042.207] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0042.207] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0042.207] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0042.207] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0042.207] wnsprintfW (in: pszDest=0x5306d0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Adobe\\ARM\\Reader_10.0.0\\.") returned 44 [0042.207] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0042.207] FindNextFileW (in: hFindFile=0x535b60, lpFindFileData=0x2d8ede8 | out: lpFindFileData=0x2d8ede8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe4efbbe0, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xf2028d90, ftLastAccessTime.dwHighDateTime=0x1d2ddf4, ftLastWriteTime.dwLowDateTime=0xf2028d90, ftLastWriteTime.dwHighDateTime=0x1d2ddf4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5306c8, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0042.207] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0042.207] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0042.207] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0042.207] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0042.207] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0042.207] wnsprintfW (in: pszDest=0x5306d0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Adobe\\ARM\\Reader_10.0.0\\..") returned 45 [0042.207] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0042.207] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0042.207] FindNextFileW (in: hFindFile=0x535b60, lpFindFileData=0x2d8ede8 | out: lpFindFileData=0x2d8ede8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7e186d00, ftCreationTime.dwHighDateTime=0x1cfb543, ftLastAccessTime.dwLowDateTime=0x7e186d00, ftLastAccessTime.dwHighDateTime=0x1cfb543, ftLastWriteTime.dwLowDateTime=0x7e186d00, ftLastWriteTime.dwHighDateTime=0x1cfb543, nFileSizeHigh=0x0, nFileSizeLow=0x3d800, dwReserved0=0x5306c8, dwReserved1=0x0, cFileName="AdbeRdrSecUpd10111.msp", cAlternateFileName="ADBERD~2.MSP")) returned 1 [0042.207] lstrcmpiW (lpString1="AdbeRdrSecUpd10111.msp", lpString2="Windows") returned -1 [0042.207] lstrcmpiW (lpString1="AdbeRdrSecUpd10111.msp", lpString2="$Recycle.bin") returned 1 [0042.207] lstrcmpiW (lpString1="AdbeRdrSecUpd10111.msp", lpString2="System Volume Information") returned -1 [0042.207] lstrcmpiW (lpString1="AdbeRdrSecUpd10111.msp", lpString2="Program Files") returned -1 [0042.207] lstrcmpiW (lpString1="AdbeRdrSecUpd10111.msp", lpString2="Program Files (x86)") returned -1 [0042.207] wnsprintfW (in: pszDest=0x5306d0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Adobe\\ARM\\Reader_10.0.0\\AdbeRdrSecUpd10111.msp") returned 65 [0042.207] StrStrIW (lpFirst="AdbeRdrSecUpd10111.msp", lpSrch=".for") returned 0x0 [0042.207] lstrcmpW (lpString1="AdbeRdrSecUpd10111.msp", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0042.207] lstrcmpW (lpString1="AdbeRdrSecUpd10111.msp", lpString2="taridd") returned -1 [0042.207] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Adobe\\ARM\\Reader_10.0.0\\AdbeRdrSecUpd10111.msp", lpStr2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\3pRMMVYZl7L6YCH05Qf1aBB2Nvhrv3", nChar=122) returned -1 [0042.207] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Adobe\\ARM\\Reader_10.0.0\\AdbeRdrSecUpd10111.msp" (normalized: "c:\\programdata\\adobe\\arm\\reader_10.0.0\\adberdrsecupd10111.msp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x204 [0042.210] GetTickCount () returned 0x1145071 [0042.210] GetTickCount () returned 0x1145071 [0042.210] GetTickCount () returned 0x1145071 [0042.210] GetTickCount () returned 0x1145071 [0042.210] CryptEncrypt (in: hKey=0x4ff5a8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d8ecf8*, pdwDataLen=0x2d8eda8*=0x2c, dwBufLen=0x80 | out: pbData=0x2d8ecf8*, pdwDataLen=0x2d8eda8*=0x80) returned 1 [0042.210] GetProcessHeap () returned 0x4e0000 [0042.210] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x2800) returned 0x5451b0 [0042.210] ReadFile (in: hFile=0x204, lpBuffer=0x5451b0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2d8edac, lpOverlapped=0x0 | out: lpBuffer=0x5451b0*, lpNumberOfBytesRead=0x2d8edac*=0x2800, lpOverlapped=0x0) returned 1 [0042.212] SetFilePointerEx (in: hFile=0x204, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0042.212] WriteFile (in: hFile=0x204, lpBuffer=0x5451b0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2d8edac, lpOverlapped=0x0 | out: lpBuffer=0x5451b0*, lpNumberOfBytesWritten=0x2d8edac*=0x2800, lpOverlapped=0x0) returned 1 [0042.212] GetProcessHeap () returned 0x4e0000 [0042.212] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x5451b0 | out: hHeap=0x4e0000) returned 1 [0042.212] SetFilePointerEx (in: hFile=0x204, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0042.212] WriteFile (in: hFile=0x204, lpBuffer=0x4ffe10*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x2d8edac, lpOverlapped=0x0 | out: lpBuffer=0x4ffe10*, lpNumberOfBytesWritten=0x2d8edac*=0x300, lpOverlapped=0x0) returned 1 [0042.213] WriteFile (in: hFile=0x204, lpBuffer=0x2d8ecf8*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x2d8edac, lpOverlapped=0x0 | out: lpBuffer=0x2d8ecf8*, lpNumberOfBytesWritten=0x2d8edac*=0x80, lpOverlapped=0x0) returned 1 [0042.213] WriteFile (in: hFile=0x204, lpBuffer=0x186230*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2d8edac, lpOverlapped=0x0 | out: lpBuffer=0x186230*, lpNumberOfBytesWritten=0x2d8edac*=0x4, lpOverlapped=0x0) returned 1 [0042.213] CloseHandle (hObject=0x204) returned 1 [0042.215] GetProcessHeap () returned 0x4e0000 [0042.215] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x400) returned 0x543228 [0042.215] wnsprintfW (in: pszDest=0x543228, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Adobe\\ARM\\Reader_10.0.0\\AdbeRdrSecUpd10111.msp_forv_{KNUJ5K}.for") returned 83 [0042.215] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Adobe\\ARM\\Reader_10.0.0\\AdbeRdrSecUpd10111.msp" (normalized: "c:\\programdata\\adobe\\arm\\reader_10.0.0\\adberdrsecupd10111.msp"), lpNewFileName="\\\\?\\C:\\ProgramData\\Adobe\\ARM\\Reader_10.0.0\\AdbeRdrSecUpd10111.msp_forv_{KNUJ5K}.for" (normalized: "c:\\programdata\\adobe\\arm\\reader_10.0.0\\adberdrsecupd10111.msp_forv_{knuj5k}.for")) returned 1 [0042.215] GetProcessHeap () returned 0x4e0000 [0042.215] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x543228 | out: hHeap=0x4e0000) returned 1 [0042.215] FindNextFileW (in: hFindFile=0x535b60, lpFindFileData=0x2d8ede8 | out: lpFindFileData=0x2d8ede8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb4450880, ftCreationTime.dwHighDateTime=0x1cf6c45, ftLastAccessTime.dwLowDateTime=0xb4450880, ftLastAccessTime.dwHighDateTime=0x1cf6c45, ftLastWriteTime.dwLowDateTime=0xb4450880, ftLastWriteTime.dwHighDateTime=0x1cf6c45, nFileSizeHigh=0x0, nFileSizeLow=0x10e3000, dwReserved0=0x5306c8, dwReserved1=0x0, cFileName="AdbeRdrUpd10110_MUI.msp", cAlternateFileName="ADBERD~1.MSP")) returned 1 [0042.215] lstrcmpiW (lpString1="AdbeRdrUpd10110_MUI.msp", lpString2="Windows") returned -1 [0042.215] lstrcmpiW (lpString1="AdbeRdrUpd10110_MUI.msp", lpString2="$Recycle.bin") returned 1 [0042.216] lstrcmpiW (lpString1="AdbeRdrUpd10110_MUI.msp", lpString2="System Volume Information") returned -1 [0042.216] lstrcmpiW (lpString1="AdbeRdrUpd10110_MUI.msp", lpString2="Program Files") returned -1 [0042.216] lstrcmpiW (lpString1="AdbeRdrUpd10110_MUI.msp", lpString2="Program Files (x86)") returned -1 [0042.216] wnsprintfW (in: pszDest=0x5306d0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Adobe\\ARM\\Reader_10.0.0\\AdbeRdrUpd10110_MUI.msp") returned 66 [0042.216] StrStrIW (lpFirst="AdbeRdrUpd10110_MUI.msp", lpSrch=".for") returned 0x0 [0042.216] lstrcmpW (lpString1="AdbeRdrUpd10110_MUI.msp", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0042.216] lstrcmpW (lpString1="AdbeRdrUpd10110_MUI.msp", lpString2="taridd") returned -1 [0042.216] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Adobe\\ARM\\Reader_10.0.0\\AdbeRdrUpd10110_MUI.msp", lpStr2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\3pRMMVYZl7L6YCH05Qf1aBB2Nvhrv3", nChar=122) returned -1 [0042.216] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Adobe\\ARM\\Reader_10.0.0\\AdbeRdrUpd10110_MUI.msp" (normalized: "c:\\programdata\\adobe\\arm\\reader_10.0.0\\adberdrupd10110_mui.msp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x204 [0042.216] GetTickCount () returned 0x1145081 [0042.216] GetTickCount () returned 0x1145081 [0042.216] GetTickCount () returned 0x1145081 [0042.216] GetTickCount () returned 0x1145081 [0042.216] CryptEncrypt (in: hKey=0x4ff5a8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d8ecf8*, pdwDataLen=0x2d8eda8*=0x2c, dwBufLen=0x80 | out: pbData=0x2d8ecf8*, pdwDataLen=0x2d8eda8*=0x80) returned 1 [0042.216] GetProcessHeap () returned 0x4e0000 [0042.216] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x2800) returned 0x5451b0 [0042.216] ReadFile (in: hFile=0x204, lpBuffer=0x5451b0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2d8edac, lpOverlapped=0x0 | out: lpBuffer=0x5451b0*, lpNumberOfBytesRead=0x2d8edac*=0x2800, lpOverlapped=0x0) returned 1 [0042.219] SetFilePointerEx (in: hFile=0x204, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0042.219] WriteFile (in: hFile=0x204, lpBuffer=0x5451b0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2d8edac, lpOverlapped=0x0 | out: lpBuffer=0x5451b0*, lpNumberOfBytesWritten=0x2d8edac*=0x2800, lpOverlapped=0x0) returned 1 [0042.219] GetProcessHeap () returned 0x4e0000 [0042.219] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x5451b0 | out: hHeap=0x4e0000) returned 1 [0042.219] SetFilePointerEx (in: hFile=0x204, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0042.219] WriteFile (in: hFile=0x204, lpBuffer=0x4ffe10*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x2d8edac, lpOverlapped=0x0 | out: lpBuffer=0x4ffe10*, lpNumberOfBytesWritten=0x2d8edac*=0x300, lpOverlapped=0x0) returned 1 [0042.220] WriteFile (in: hFile=0x204, lpBuffer=0x2d8ecf8*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x2d8edac, lpOverlapped=0x0 | out: lpBuffer=0x2d8ecf8*, lpNumberOfBytesWritten=0x2d8edac*=0x80, lpOverlapped=0x0) returned 1 [0042.220] WriteFile (in: hFile=0x204, lpBuffer=0x186230*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2d8edac, lpOverlapped=0x0 | out: lpBuffer=0x186230*, lpNumberOfBytesWritten=0x2d8edac*=0x4, lpOverlapped=0x0) returned 1 [0042.220] CloseHandle (hObject=0x204) returned 1 [0042.220] GetProcessHeap () returned 0x4e0000 [0042.220] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x400) returned 0x543228 [0042.220] wnsprintfW (in: pszDest=0x543228, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Adobe\\ARM\\Reader_10.0.0\\AdbeRdrUpd10110_MUI.msp_forv_{KNUJ5K}.for") returned 84 [0042.220] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Adobe\\ARM\\Reader_10.0.0\\AdbeRdrUpd10110_MUI.msp" (normalized: "c:\\programdata\\adobe\\arm\\reader_10.0.0\\adberdrupd10110_mui.msp"), lpNewFileName="\\\\?\\C:\\ProgramData\\Adobe\\ARM\\Reader_10.0.0\\AdbeRdrUpd10110_MUI.msp_forv_{KNUJ5K}.for" (normalized: "c:\\programdata\\adobe\\arm\\reader_10.0.0\\adberdrupd10110_mui.msp_forv_{knuj5k}.for")) returned 1 [0042.221] GetProcessHeap () returned 0x4e0000 [0042.221] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x543228 | out: hHeap=0x4e0000) returned 1 [0042.221] FindNextFileW (in: hFindFile=0x535b60, lpFindFileData=0x2d8ede8 | out: lpFindFileData=0x2d8ede8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2540cc00, ftCreationTime.dwHighDateTime=0x1d1056e, ftLastAccessTime.dwLowDateTime=0x2540cc00, ftLastAccessTime.dwHighDateTime=0x1d1056e, ftLastWriteTime.dwLowDateTime=0x2540cc00, ftLastWriteTime.dwHighDateTime=0x1d1056e, nFileSizeHigh=0x0, nFileSizeLow=0x109d000, dwReserved0=0x5306c8, dwReserved1=0x0, cFileName="AdbeRdrUpd10116_MUI.msp", cAlternateFileName="ADBERD~3.MSP")) returned 1 [0042.221] lstrcmpiW (lpString1="AdbeRdrUpd10116_MUI.msp", lpString2="Windows") returned -1 [0042.221] lstrcmpiW (lpString1="AdbeRdrUpd10116_MUI.msp", lpString2="$Recycle.bin") returned 1 [0042.221] lstrcmpiW (lpString1="AdbeRdrUpd10116_MUI.msp", lpString2="System Volume Information") returned -1 [0042.221] lstrcmpiW (lpString1="AdbeRdrUpd10116_MUI.msp", lpString2="Program Files") returned -1 [0042.221] lstrcmpiW (lpString1="AdbeRdrUpd10116_MUI.msp", lpString2="Program Files (x86)") returned -1 [0042.221] wnsprintfW (in: pszDest=0x5306d0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Adobe\\ARM\\Reader_10.0.0\\AdbeRdrUpd10116_MUI.msp") returned 66 [0042.221] StrStrIW (lpFirst="AdbeRdrUpd10116_MUI.msp", lpSrch=".for") returned 0x0 [0042.221] lstrcmpW (lpString1="AdbeRdrUpd10116_MUI.msp", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0042.221] lstrcmpW (lpString1="AdbeRdrUpd10116_MUI.msp", lpString2="taridd") returned -1 [0042.221] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Adobe\\ARM\\Reader_10.0.0\\AdbeRdrUpd10116_MUI.msp", lpStr2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\3pRMMVYZl7L6YCH05Qf1aBB2Nvhrv3", nChar=122) returned -1 [0042.221] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Adobe\\ARM\\Reader_10.0.0\\AdbeRdrUpd10116_MUI.msp" (normalized: "c:\\programdata\\adobe\\arm\\reader_10.0.0\\adberdrupd10116_mui.msp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x204 [0042.221] GetTickCount () returned 0x1145081 [0042.221] GetTickCount () returned 0x1145081 [0042.221] GetTickCount () returned 0x1145081 [0042.221] GetTickCount () returned 0x1145081 [0042.221] CryptEncrypt (in: hKey=0x4ff5a8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d8ecf8*, pdwDataLen=0x2d8eda8*=0x2c, dwBufLen=0x80 | out: pbData=0x2d8ecf8*, pdwDataLen=0x2d8eda8*=0x80) returned 1 [0042.221] GetProcessHeap () returned 0x4e0000 [0042.222] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x2800) returned 0x5451b0 [0042.222] ReadFile (in: hFile=0x204, lpBuffer=0x5451b0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2d8edac, lpOverlapped=0x0 | out: lpBuffer=0x5451b0*, lpNumberOfBytesRead=0x2d8edac*=0x2800, lpOverlapped=0x0) returned 1 [0042.223] SetFilePointerEx (in: hFile=0x204, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0042.223] WriteFile (in: hFile=0x204, lpBuffer=0x5451b0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2d8edac, lpOverlapped=0x0 | out: lpBuffer=0x5451b0*, lpNumberOfBytesWritten=0x2d8edac*=0x2800, lpOverlapped=0x0) returned 1 [0042.224] GetProcessHeap () returned 0x4e0000 [0042.224] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x5451b0 | out: hHeap=0x4e0000) returned 1 [0042.224] SetFilePointerEx (in: hFile=0x204, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0042.224] WriteFile (in: hFile=0x204, lpBuffer=0x4ffe10*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x2d8edac, lpOverlapped=0x0 | out: lpBuffer=0x4ffe10*, lpNumberOfBytesWritten=0x2d8edac*=0x300, lpOverlapped=0x0) returned 1 [0042.224] WriteFile (in: hFile=0x204, lpBuffer=0x2d8ecf8*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x2d8edac, lpOverlapped=0x0 | out: lpBuffer=0x2d8ecf8*, lpNumberOfBytesWritten=0x2d8edac*=0x80, lpOverlapped=0x0) returned 1 [0042.225] WriteFile (in: hFile=0x204, lpBuffer=0x186230*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2d8edac, lpOverlapped=0x0 | out: lpBuffer=0x186230*, lpNumberOfBytesWritten=0x2d8edac*=0x4, lpOverlapped=0x0) returned 1 [0042.225] CloseHandle (hObject=0x204) returned 1 [0042.225] GetProcessHeap () returned 0x4e0000 [0042.225] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x400) returned 0x543228 [0042.225] wnsprintfW (in: pszDest=0x543228, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Adobe\\ARM\\Reader_10.0.0\\AdbeRdrUpd10116_MUI.msp_forv_{KNUJ5K}.for") returned 84 [0042.225] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Adobe\\ARM\\Reader_10.0.0\\AdbeRdrUpd10116_MUI.msp" (normalized: "c:\\programdata\\adobe\\arm\\reader_10.0.0\\adberdrupd10116_mui.msp"), lpNewFileName="\\\\?\\C:\\ProgramData\\Adobe\\ARM\\Reader_10.0.0\\AdbeRdrUpd10116_MUI.msp_forv_{KNUJ5K}.for" (normalized: "c:\\programdata\\adobe\\arm\\reader_10.0.0\\adberdrupd10116_mui.msp_forv_{knuj5k}.for")) returned 1 [0042.225] GetProcessHeap () returned 0x4e0000 [0042.225] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x543228 | out: hHeap=0x4e0000) returned 1 [0042.225] FindNextFileW (in: hFindFile=0x535b60, lpFindFileData=0x2d8ede8 | out: lpFindFileData=0x2d8ede8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2540cc00, ftCreationTime.dwHighDateTime=0x1d1056e, ftLastAccessTime.dwLowDateTime=0x2540cc00, ftLastAccessTime.dwHighDateTime=0x1d1056e, ftLastWriteTime.dwLowDateTime=0x2540cc00, ftLastWriteTime.dwHighDateTime=0x1d1056e, nFileSizeHigh=0x0, nFileSizeLow=0x109d000, dwReserved0=0x5306c8, dwReserved1=0x0, cFileName="AdbeRdrUpd10116_MUI.msp", cAlternateFileName="ADBERD~3.MSP")) returned 0 [0042.225] FindClose (in: hFindFile=0x535b60 | out: hFindFile=0x535b60) returned 1 [0042.225] wnsprintfW (in: pszDest=0x5306d0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Adobe\\ARM\\Reader_10.0.0\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 74 [0042.225] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Adobe\\ARM\\Reader_10.0.0\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\adobe\\arm\\reader_10.0.0\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x208 [0042.226] WriteFile (in: hFile=0x208, lpBuffer=0x186440*, nNumberOfBytesToWrite=0x2b0, lpNumberOfBytesWritten=0x2d8edb4, lpOverlapped=0x0 | out: lpBuffer=0x186440*, lpNumberOfBytesWritten=0x2d8edb4*=0x2b0, lpOverlapped=0x0) returned 1 [0042.226] CloseHandle (hObject=0x208) returned 1 [0042.226] GetProcessHeap () returned 0x4e0000 [0042.226] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x5306d0 | out: hHeap=0x4e0000) returned 1 [0042.227] FindNextFileW (in: hFindFile=0x535b20, lpFindFileData=0x2d8f070 | out: lpFindFileData=0x2d8f070*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe4efbbe0, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xf2028d90, ftLastAccessTime.dwHighDateTime=0x1d2ddf4, ftLastWriteTime.dwLowDateTime=0xf2028d90, ftLastWriteTime.dwHighDateTime=0x1d2ddf4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Reader_10.0.0", cAlternateFileName="READER~1.0")) returned 0 [0042.227] FindClose (in: hFindFile=0x535b20 | out: hFindFile=0x535b20) returned 1 [0042.227] wnsprintfW (in: pszDest=0x542af8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Adobe\\ARM\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 60 [0042.227] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Adobe\\ARM\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\adobe\\arm\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x150 [0042.227] WriteFile (in: hFile=0x150, lpBuffer=0x186440*, nNumberOfBytesToWrite=0x2b0, lpNumberOfBytesWritten=0x2d8f03c, lpOverlapped=0x0 | out: lpBuffer=0x186440*, lpNumberOfBytesWritten=0x2d8f03c*=0x2b0, lpOverlapped=0x0) returned 1 [0042.228] CloseHandle (hObject=0x150) returned 1 [0042.228] GetProcessHeap () returned 0x4e0000 [0042.228] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x542af8 | out: hHeap=0x4e0000) returned 1 [0042.228] FindNextFileW (in: hFindFile=0x535ae0, lpFindFileData=0x2d8f2f8 | out: lpFindFileData=0x2d8f2f8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xe4efbbe0, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xe4efbbe0, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xe4efbbe0, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ARM", cAlternateFileName="")) returned 0 [0042.228] FindClose (in: hFindFile=0x535ae0 | out: hFindFile=0x535ae0) returned 1 [0042.228] wnsprintfW (in: pszDest=0x511b40, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Adobe\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 56 [0042.228] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Adobe\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\adobe\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x140 [0042.228] WriteFile (in: hFile=0x140, lpBuffer=0x186440*, nNumberOfBytesToWrite=0x2b0, lpNumberOfBytesWritten=0x2d8f2c4, lpOverlapped=0x0 | out: lpBuffer=0x186440*, lpNumberOfBytesWritten=0x2d8f2c4*=0x2b0, lpOverlapped=0x0) returned 1 [0042.229] CloseHandle (hObject=0x140) returned 1 [0042.229] GetProcessHeap () returned 0x4e0000 [0042.229] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x511b40 | out: hHeap=0x4e0000) returned 1 [0042.229] FindNextFileW (in: hFindFile=0x535aa0, lpFindFileData=0x2d8f580 | out: lpFindFileData=0x2d8f580*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x3074f252, ftCreationTime.dwHighDateTime=0x1ca0441, ftLastAccessTime.dwLowDateTime=0x3074f252, ftLastAccessTime.dwHighDateTime=0x1ca0441, ftLastWriteTime.dwLowDateTime=0x3074f252, ftLastWriteTime.dwHighDateTime=0x1ca0441, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Application Data", cAlternateFileName="APPLIC~1")) returned 1 [0042.229] lstrcmpiW (lpString1="Application Data", lpString2="Windows") returned -1 [0042.229] lstrcmpiW (lpString1="Application Data", lpString2="$Recycle.bin") returned 1 [0042.229] lstrcmpiW (lpString1="Application Data", lpString2="System Volume Information") returned -1 [0042.230] lstrcmpiW (lpString1="Application Data", lpString2="Program Files") returned -1 [0042.230] lstrcmpiW (lpString1="Application Data", lpString2="Program Files (x86)") returned -1 [0042.230] wnsprintfW (in: pszDest=0x5354c0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Application Data") returned 35 [0042.230] lstrcmpW (lpString1="Application Data", lpString2=".") returned 1 [0042.230] lstrcmpW (lpString1="Application Data", lpString2="..") returned 1 [0042.230] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Application Data", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0042.230] GetProcessHeap () returned 0x4e0000 [0042.230] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x400) returned 0x511b40 [0042.230] wnsprintfW (in: pszDest=0x511b40, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Application Data\\*") returned 37 [0042.230] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Application Data\\*", lpFindFileData=0x2d8f2f8 | out: lpFindFileData=0x2d8f2f8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xe4efbbe0, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xe4efbbe0, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xe4efbbe0, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ARM", cAlternateFileName="")) returned 0xffffffff [0042.230] GetProcessHeap () returned 0x4e0000 [0042.230] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x511b40 | out: hHeap=0x4e0000) returned 1 [0042.230] FindNextFileW (in: hFindFile=0x535aa0, lpFindFileData=0x2d8f580 | out: lpFindFileData=0x2d8f580*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x307290f2, ftCreationTime.dwHighDateTime=0x1ca0441, ftLastAccessTime.dwLowDateTime=0x307290f2, ftLastAccessTime.dwHighDateTime=0x1ca0441, ftLastWriteTime.dwLowDateTime=0x307290f2, ftLastWriteTime.dwHighDateTime=0x1ca0441, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Desktop", cAlternateFileName="")) returned 1 [0042.230] lstrcmpiW (lpString1="Desktop", lpString2="Windows") returned -1 [0042.230] lstrcmpiW (lpString1="Desktop", lpString2="$Recycle.bin") returned 1 [0042.230] lstrcmpiW (lpString1="Desktop", lpString2="System Volume Information") returned -1 [0042.230] lstrcmpiW (lpString1="Desktop", lpString2="Program Files") returned -1 [0042.230] lstrcmpiW (lpString1="Desktop", lpString2="Program Files (x86)") returned -1 [0042.230] wnsprintfW (in: pszDest=0x5354c0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Desktop") returned 26 [0042.230] lstrcmpW (lpString1="Desktop", lpString2=".") returned 1 [0042.230] lstrcmpW (lpString1="Desktop", lpString2="..") returned 1 [0042.230] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Desktop", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0042.230] GetProcessHeap () returned 0x4e0000 [0042.230] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x400) returned 0x511b40 [0042.230] wnsprintfW (in: pszDest=0x511b40, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Desktop\\*") returned 28 [0042.230] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Desktop\\*", lpFindFileData=0x2d8f2f8 | out: lpFindFileData=0x2d8f2f8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xe4efbbe0, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xe4efbbe0, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xe4efbbe0, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ARM", cAlternateFileName="")) returned 0xffffffff [0042.231] GetProcessHeap () returned 0x4e0000 [0042.231] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x511b40 | out: hHeap=0x4e0000) returned 1 [0042.231] FindNextFileW (in: hFindFile=0x535aa0, lpFindFileData=0x2d8f580 | out: lpFindFileData=0x2d8f580*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x3074f252, ftCreationTime.dwHighDateTime=0x1ca0441, ftLastAccessTime.dwLowDateTime=0x3074f252, ftLastAccessTime.dwHighDateTime=0x1ca0441, ftLastWriteTime.dwLowDateTime=0x3074f252, ftLastWriteTime.dwHighDateTime=0x1ca0441, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Documents", cAlternateFileName="DOCUME~1")) returned 1 [0042.231] lstrcmpiW (lpString1="Documents", lpString2="Windows") returned -1 [0042.231] lstrcmpiW (lpString1="Documents", lpString2="$Recycle.bin") returned 1 [0042.231] lstrcmpiW (lpString1="Documents", lpString2="System Volume Information") returned -1 [0042.231] lstrcmpiW (lpString1="Documents", lpString2="Program Files") returned -1 [0042.231] lstrcmpiW (lpString1="Documents", lpString2="Program Files (x86)") returned -1 [0042.231] wnsprintfW (in: pszDest=0x5354c0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Documents") returned 28 [0042.231] lstrcmpW (lpString1="Documents", lpString2=".") returned 1 [0042.231] lstrcmpW (lpString1="Documents", lpString2="..") returned 1 [0042.231] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Documents", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0042.231] GetProcessHeap () returned 0x4e0000 [0042.231] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x400) returned 0x511b40 [0042.231] wnsprintfW (in: pszDest=0x511b40, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Documents\\*") returned 30 [0042.231] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Documents\\*", lpFindFileData=0x2d8f2f8 | out: lpFindFileData=0x2d8f2f8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xe4efbbe0, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xe4efbbe0, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xe4efbbe0, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ARM", cAlternateFileName="")) returned 0xffffffff [0042.231] GetProcessHeap () returned 0x4e0000 [0042.231] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x511b40 | out: hHeap=0x4e0000) returned 1 [0042.231] FindNextFileW (in: hFindFile=0x535aa0, lpFindFileData=0x2d8f580 | out: lpFindFileData=0x2d8f580*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x3074f252, ftCreationTime.dwHighDateTime=0x1ca0441, ftLastAccessTime.dwLowDateTime=0x3074f252, ftLastAccessTime.dwHighDateTime=0x1ca0441, ftLastWriteTime.dwLowDateTime=0x3074f252, ftLastWriteTime.dwHighDateTime=0x1ca0441, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Favorites", cAlternateFileName="FAVORI~1")) returned 1 [0042.231] lstrcmpiW (lpString1="Favorites", lpString2="Windows") returned -1 [0042.231] lstrcmpiW (lpString1="Favorites", lpString2="$Recycle.bin") returned 1 [0042.231] lstrcmpiW (lpString1="Favorites", lpString2="System Volume Information") returned -1 [0042.231] lstrcmpiW (lpString1="Favorites", lpString2="Program Files") returned -1 [0042.231] lstrcmpiW (lpString1="Favorites", lpString2="Program Files (x86)") returned -1 [0042.231] wnsprintfW (in: pszDest=0x5354c0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Favorites") returned 28 [0042.231] lstrcmpW (lpString1="Favorites", lpString2=".") returned 1 [0042.231] lstrcmpW (lpString1="Favorites", lpString2="..") returned 1 [0042.231] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Favorites", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0042.231] GetProcessHeap () returned 0x4e0000 [0042.231] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x400) returned 0x511b40 [0042.232] wnsprintfW (in: pszDest=0x511b40, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Favorites\\*") returned 30 [0042.232] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Favorites\\*", lpFindFileData=0x2d8f2f8 | out: lpFindFileData=0x2d8f2f8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xe4efbbe0, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xe4efbbe0, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xe4efbbe0, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ARM", cAlternateFileName="")) returned 0xffffffff [0042.232] GetProcessHeap () returned 0x4e0000 [0042.232] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x511b40 | out: hHeap=0x4e0000) returned 1 [0042.232] FindNextFileW (in: hFindFile=0x535aa0, lpFindFileData=0x2d8f580 | out: lpFindFileData=0x2d8f580*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0xfd943744, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x80ac5760, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x80ac5760, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Microsoft", cAlternateFileName="MICROS~1")) returned 1 [0042.232] lstrcmpiW (lpString1="Microsoft", lpString2="Windows") returned -1 [0042.232] lstrcmpiW (lpString1="Microsoft", lpString2="$Recycle.bin") returned 1 [0042.232] lstrcmpiW (lpString1="Microsoft", lpString2="System Volume Information") returned -1 [0042.232] lstrcmpiW (lpString1="Microsoft", lpString2="Program Files") returned -1 [0042.232] lstrcmpiW (lpString1="Microsoft", lpString2="Program Files (x86)") returned -1 [0042.232] wnsprintfW (in: pszDest=0x5354c0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft") returned 28 [0042.232] lstrcmpW (lpString1="Microsoft", lpString2=".") returned 1 [0042.232] lstrcmpW (lpString1="Microsoft", lpString2="..") returned 1 [0042.232] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Microsoft", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0042.232] GetProcessHeap () returned 0x4e0000 [0042.232] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x400) returned 0x511b40 [0042.232] wnsprintfW (in: pszDest=0x511b40, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\*") returned 30 [0042.232] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\*", lpFindFileData=0x2d8f2f8 | out: lpFindFileData=0x2d8f2f8*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0xfd943744, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x80ac5760, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x80ac5760, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x535ae0 [0042.232] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0042.232] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0042.232] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0042.232] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0042.232] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0042.232] wnsprintfW (in: pszDest=0x511b40, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\.") returned 30 [0042.232] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0042.232] StrStrIW (lpFirst=".", lpSrch=".for") returned 0x0 [0042.232] lstrcmpW (lpString1=".", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned -1 [0042.233] lstrcmpW (lpString1=".", lpString2="taridd") returned -1 [0042.233] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\.", lpStr2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\3pRMMVYZl7L6YCH05Qf1aBB2Nvhrv3", nChar=122) returned -1 [0042.233] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\." (normalized: "c:\\programdata\\microsoft\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0042.233] FindNextFileW (in: hFindFile=0x535ae0, lpFindFileData=0x2d8f2f8 | out: lpFindFileData=0x2d8f2f8*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0xfd943744, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x80ac5760, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x80ac5760, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0042.233] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0042.233] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0042.233] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0042.233] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0042.233] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0042.233] wnsprintfW (in: pszDest=0x511b40, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\..") returned 31 [0042.233] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0042.233] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0042.233] StrStrIW (lpFirst="..", lpSrch=".for") returned 0x0 [0042.233] lstrcmpW (lpString1="..", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned -1 [0042.233] lstrcmpW (lpString1="..", lpString2="taridd") returned -1 [0042.233] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\..", lpStr2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\3pRMMVYZl7L6YCH05Qf1aBB2Nvhrv3", nChar=122) returned -1 [0042.233] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\.." (normalized: "c:\\programdata"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0042.233] FindNextFileW (in: hFindFile=0x535ae0, lpFindFileData=0x2d8f2f8 | out: lpFindFileData=0x2d8f2f8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x3fc949a4, ftCreationTime.dwHighDateTime=0x1ca0445, ftLastAccessTime.dwLowDateTime=0x3fc949a4, ftLastAccessTime.dwHighDateTime=0x1ca0445, ftLastWriteTime.dwLowDateTime=0x3fc949a4, ftLastWriteTime.dwHighDateTime=0x1ca0445, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Assistance", cAlternateFileName="ASSIST~1")) returned 1 [0042.233] lstrcmpiW (lpString1="Assistance", lpString2="Windows") returned -1 [0042.233] lstrcmpiW (lpString1="Assistance", lpString2="$Recycle.bin") returned 1 [0042.233] lstrcmpiW (lpString1="Assistance", lpString2="System Volume Information") returned -1 [0042.233] lstrcmpiW (lpString1="Assistance", lpString2="Program Files") returned -1 [0042.233] lstrcmpiW (lpString1="Assistance", lpString2="Program Files (x86)") returned -1 [0042.233] wnsprintfW (in: pszDest=0x511b40, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance") returned 39 [0042.233] lstrcmpW (lpString1="Assistance", lpString2=".") returned 1 [0042.233] lstrcmpW (lpString1="Assistance", lpString2="..") returned 1 [0042.233] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0042.233] GetProcessHeap () returned 0x4e0000 [0042.233] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x400) returned 0x542af8 [0042.233] wnsprintfW (in: pszDest=0x542af8, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\*") returned 41 [0042.233] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\*", lpFindFileData=0x2d8f070 | out: lpFindFileData=0x2d8f070*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x3fc949a4, ftCreationTime.dwHighDateTime=0x1ca0445, ftLastAccessTime.dwLowDateTime=0x3fc949a4, ftLastAccessTime.dwHighDateTime=0x1ca0445, ftLastWriteTime.dwLowDateTime=0x3fc949a4, ftLastWriteTime.dwHighDateTime=0x1ca0445, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x535b20 [0042.234] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0042.234] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0042.234] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0042.234] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0042.234] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0042.234] wnsprintfW (in: pszDest=0x542af8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\.") returned 41 [0042.234] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0042.234] FindNextFileW (in: hFindFile=0x535b20, lpFindFileData=0x2d8f070 | out: lpFindFileData=0x2d8f070*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x3fc949a4, ftCreationTime.dwHighDateTime=0x1ca0445, ftLastAccessTime.dwLowDateTime=0x3fc949a4, ftLastAccessTime.dwHighDateTime=0x1ca0445, ftLastWriteTime.dwLowDateTime=0x3fc949a4, ftLastWriteTime.dwHighDateTime=0x1ca0445, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0042.234] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0042.234] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0042.234] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0042.234] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0042.234] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0042.234] wnsprintfW (in: pszDest=0x542af8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\..") returned 42 [0042.234] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0042.234] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0042.234] FindNextFileW (in: hFindFile=0x535b20, lpFindFileData=0x2d8f070 | out: lpFindFileData=0x2d8f070*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x3fc949a4, ftCreationTime.dwHighDateTime=0x1ca0445, ftLastAccessTime.dwLowDateTime=0x3fc949a4, ftLastAccessTime.dwHighDateTime=0x1ca0445, ftLastWriteTime.dwLowDateTime=0x3fc949a4, ftLastWriteTime.dwHighDateTime=0x1ca0445, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Client", cAlternateFileName="")) returned 1 [0042.234] lstrcmpiW (lpString1="Client", lpString2="Windows") returned -1 [0042.234] lstrcmpiW (lpString1="Client", lpString2="$Recycle.bin") returned 1 [0042.234] lstrcmpiW (lpString1="Client", lpString2="System Volume Information") returned -1 [0042.234] lstrcmpiW (lpString1="Client", lpString2="Program Files") returned -1 [0042.234] lstrcmpiW (lpString1="Client", lpString2="Program Files (x86)") returned -1 [0042.234] wnsprintfW (in: pszDest=0x542af8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\Client") returned 46 [0042.234] lstrcmpW (lpString1="Client", lpString2=".") returned 1 [0042.234] lstrcmpW (lpString1="Client", lpString2="..") returned 1 [0042.234] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\Client", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0042.234] GetProcessHeap () returned 0x4e0000 [0042.234] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x400) returned 0x5306d0 [0042.234] wnsprintfW (in: pszDest=0x5306d0, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\Client\\*") returned 48 [0042.235] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\Client\\*", lpFindFileData=0x2d8ede8 | out: lpFindFileData=0x2d8ede8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x3fc949a4, ftCreationTime.dwHighDateTime=0x1ca0445, ftLastAccessTime.dwLowDateTime=0x3fc949a4, ftLastAccessTime.dwHighDateTime=0x1ca0445, ftLastWriteTime.dwLowDateTime=0x3fc949a4, ftLastWriteTime.dwHighDateTime=0x1ca0445, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5306c8, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x535b60 [0042.235] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0042.235] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0042.235] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0042.235] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0042.235] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0042.235] wnsprintfW (in: pszDest=0x5306d0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\Client\\.") returned 48 [0042.235] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0042.235] FindNextFileW (in: hFindFile=0x535b60, lpFindFileData=0x2d8ede8 | out: lpFindFileData=0x2d8ede8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x3fc949a4, ftCreationTime.dwHighDateTime=0x1ca0445, ftLastAccessTime.dwLowDateTime=0x3fc949a4, ftLastAccessTime.dwHighDateTime=0x1ca0445, ftLastWriteTime.dwLowDateTime=0x3fc949a4, ftLastWriteTime.dwHighDateTime=0x1ca0445, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5306c8, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0042.235] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0042.235] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0042.235] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0042.235] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0042.235] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0042.235] wnsprintfW (in: pszDest=0x5306d0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\Client\\..") returned 49 [0042.235] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0042.235] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0042.235] FindNextFileW (in: hFindFile=0x535b60, lpFindFileData=0x2d8ede8 | out: lpFindFileData=0x2d8ede8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x3fc949a4, ftCreationTime.dwHighDateTime=0x1ca0445, ftLastAccessTime.dwLowDateTime=0xa8f17049, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0x243448f1, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5306c8, dwReserved1=0x0, cFileName="1.0", cAlternateFileName="")) returned 1 [0042.235] lstrcmpiW (lpString1="1.0", lpString2="Windows") returned -1 [0042.235] lstrcmpiW (lpString1="1.0", lpString2="$Recycle.bin") returned 1 [0042.235] lstrcmpiW (lpString1="1.0", lpString2="System Volume Information") returned -1 [0042.235] lstrcmpiW (lpString1="1.0", lpString2="Program Files") returned -1 [0042.235] lstrcmpiW (lpString1="1.0", lpString2="Program Files (x86)") returned -1 [0042.235] wnsprintfW (in: pszDest=0x5306d0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\Client\\1.0") returned 50 [0042.235] lstrcmpW (lpString1="1.0", lpString2=".") returned 1 [0042.235] lstrcmpW (lpString1="1.0", lpString2="..") returned 1 [0042.235] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\Client\\1.0", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0042.235] GetProcessHeap () returned 0x4e0000 [0042.235] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x400) returned 0x543228 [0042.235] wnsprintfW (in: pszDest=0x543228, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\Client\\1.0\\*") returned 52 [0042.236] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\Client\\1.0\\*", lpFindFileData=0x2d8eb60 | out: lpFindFileData=0x2d8eb60*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x3fc949a4, ftCreationTime.dwHighDateTime=0x1ca0445, ftLastAccessTime.dwLowDateTime=0xa8f17049, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0x243448f1, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x50c758, dwReserved1=0x2d8ec64, cFileName=".", cAlternateFileName="")) returned 0x535ba0 [0042.236] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0042.236] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0042.236] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0042.236] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0042.236] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0042.236] wnsprintfW (in: pszDest=0x543228, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\Client\\1.0\\.") returned 52 [0042.236] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0042.236] FindNextFileW (in: hFindFile=0x535ba0, lpFindFileData=0x2d8eb60 | out: lpFindFileData=0x2d8eb60*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x3fc949a4, ftCreationTime.dwHighDateTime=0x1ca0445, ftLastAccessTime.dwLowDateTime=0xa8f17049, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0x243448f1, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x50c758, dwReserved1=0x2d8ec64, cFileName="..", cAlternateFileName="")) returned 1 [0042.236] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0042.236] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0042.236] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0042.236] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0042.236] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0042.236] wnsprintfW (in: pszDest=0x543228, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\Client\\1.0\\..") returned 53 [0042.236] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0042.236] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0042.236] FindNextFileW (in: hFindFile=0x535ba0, lpFindFileData=0x2d8eb60 | out: lpFindFileData=0x2d8eb60*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x243448f1, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0xae0e8854, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0xae0e8854, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x50c758, dwReserved1=0x2d8ec64, cFileName="en-US", cAlternateFileName="")) returned 1 [0042.236] lstrcmpiW (lpString1="en-US", lpString2="Windows") returned -1 [0042.236] lstrcmpiW (lpString1="en-US", lpString2="$Recycle.bin") returned 1 [0042.236] lstrcmpiW (lpString1="en-US", lpString2="System Volume Information") returned -1 [0042.236] lstrcmpiW (lpString1="en-US", lpString2="Program Files") returned -1 [0042.236] lstrcmpiW (lpString1="en-US", lpString2="Program Files (x86)") returned -1 [0042.236] wnsprintfW (in: pszDest=0x543228, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\Client\\1.0\\en-US") returned 56 [0042.236] lstrcmpW (lpString1="en-US", lpString2=".") returned 1 [0042.236] lstrcmpW (lpString1="en-US", lpString2="..") returned 1 [0042.236] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\Client\\1.0\\en-US", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0042.236] GetProcessHeap () returned 0x4e0000 [0042.236] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x400) returned 0x543630 [0042.237] wnsprintfW (in: pszDest=0x543630, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\Client\\1.0\\en-US\\*") returned 58 [0042.237] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\Client\\1.0\\en-US\\*", lpFindFileData=0x2d8e8d8 | out: lpFindFileData=0x2d8e8d8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x243448f1, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0xae0e8854, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0xae0e8854, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x2d8e920, dwReserved1=0x771791c9, cFileName=".", cAlternateFileName="")) returned 0x535be0 [0042.238] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0042.239] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0042.239] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0042.239] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0042.239] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0042.239] wnsprintfW (in: pszDest=0x543630, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\Client\\1.0\\en-US\\.") returned 58 [0042.239] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0042.239] FindNextFileW (in: hFindFile=0x535be0, lpFindFileData=0x2d8e8d8 | out: lpFindFileData=0x2d8e8d8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x243448f1, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0xae0e8854, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0xae0e8854, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x2d8e920, dwReserved1=0x771791c9, cFileName="..", cAlternateFileName="")) returned 1 [0042.239] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0042.239] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0042.239] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0042.239] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0042.239] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0042.239] wnsprintfW (in: pszDest=0x543630, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\Client\\1.0\\en-US\\..") returned 59 [0042.239] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0042.239] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0042.239] FindNextFileW (in: hFindFile=0x535be0, lpFindFileData=0x2d8e8d8 | out: lpFindFileData=0x2d8e8d8*(dwFileAttributes=0x2026, ftCreationTime.dwLowDateTime=0x2436abaa, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0xabde2c6f, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0xa65a8bbf, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x2f22, dwReserved0=0x2d8e920, dwReserved1=0x771791c9, cFileName="Help_CValidator.H1D", cAlternateFileName="HELP_C~1.H1D")) returned 1 [0042.239] lstrcmpiW (lpString1="Help_CValidator.H1D", lpString2="Windows") returned -1 [0042.239] lstrcmpiW (lpString1="Help_CValidator.H1D", lpString2="$Recycle.bin") returned 1 [0042.239] lstrcmpiW (lpString1="Help_CValidator.H1D", lpString2="System Volume Information") returned -1 [0042.239] lstrcmpiW (lpString1="Help_CValidator.H1D", lpString2="Program Files") returned -1 [0042.239] lstrcmpiW (lpString1="Help_CValidator.H1D", lpString2="Program Files (x86)") returned -1 [0042.239] wnsprintfW (in: pszDest=0x543630, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help_CValidator.H1D") returned 76 [0042.239] StrStrIW (lpFirst="Help_CValidator.H1D", lpSrch=".for") returned 0x0 [0042.239] lstrcmpW (lpString1="Help_CValidator.H1D", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0042.239] lstrcmpW (lpString1="Help_CValidator.H1D", lpString2="taridd") returned -1 [0042.239] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help_CValidator.H1D", lpStr2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\3pRMMVYZl7L6YCH05Qf1aBB2Nvhrv3", nChar=122) returned -1 [0042.239] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help_CValidator.H1D" (normalized: "c:\\programdata\\microsoft\\assistance\\client\\1.0\\en-us\\help_cvalidator.h1d"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x20c [0042.269] GetTickCount () returned 0x11450b0 [0042.269] GetTickCount () returned 0x11450b0 [0042.269] GetTickCount () returned 0x11450b0 [0042.269] GetTickCount () returned 0x11450b0 [0042.269] CryptEncrypt (in: hKey=0x4ff5a8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d8e7e8*, pdwDataLen=0x2d8e898*=0x2c, dwBufLen=0x80 | out: pbData=0x2d8e7e8*, pdwDataLen=0x2d8e898*=0x80) returned 1 [0042.269] GetProcessHeap () returned 0x4e0000 [0042.269] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x2800) returned 0x5074e0 [0042.269] ReadFile (in: hFile=0x20c, lpBuffer=0x5074e0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2d8e89c, lpOverlapped=0x0 | out: lpBuffer=0x5074e0*, lpNumberOfBytesRead=0x2d8e89c*=0x2800, lpOverlapped=0x0) returned 1 [0042.271] SetFilePointerEx (in: hFile=0x20c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0042.271] WriteFile (in: hFile=0x20c, lpBuffer=0x5074e0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2d8e89c, lpOverlapped=0x0 | out: lpBuffer=0x5074e0*, lpNumberOfBytesWritten=0x2d8e89c*=0x2800, lpOverlapped=0x0) returned 1 [0042.271] GetProcessHeap () returned 0x4e0000 [0042.271] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x5074e0 | out: hHeap=0x4e0000) returned 1 [0042.271] SetFilePointerEx (in: hFile=0x20c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0042.271] WriteFile (in: hFile=0x20c, lpBuffer=0x4ffe10*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x2d8e89c, lpOverlapped=0x0 | out: lpBuffer=0x4ffe10*, lpNumberOfBytesWritten=0x2d8e89c*=0x300, lpOverlapped=0x0) returned 1 [0042.272] WriteFile (in: hFile=0x20c, lpBuffer=0x2d8e7e8*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x2d8e89c, lpOverlapped=0x0 | out: lpBuffer=0x2d8e7e8*, lpNumberOfBytesWritten=0x2d8e89c*=0x80, lpOverlapped=0x0) returned 1 [0042.272] WriteFile (in: hFile=0x20c, lpBuffer=0x186230*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2d8e89c, lpOverlapped=0x0 | out: lpBuffer=0x186230*, lpNumberOfBytesWritten=0x2d8e89c*=0x4, lpOverlapped=0x0) returned 1 [0042.272] CloseHandle (hObject=0x20c) returned 1 [0042.272] GetProcessHeap () returned 0x4e0000 [0042.272] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x400) returned 0x543a38 [0042.272] wnsprintfW (in: pszDest=0x543a38, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help_CValidator.H1D_forv_{KNUJ5K}.for") returned 94 [0042.272] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help_CValidator.H1D" (normalized: "c:\\programdata\\microsoft\\assistance\\client\\1.0\\en-us\\help_cvalidator.h1d"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help_CValidator.H1D_forv_{KNUJ5K}.for" (normalized: "c:\\programdata\\microsoft\\assistance\\client\\1.0\\en-us\\help_cvalidator.h1d_forv_{knuj5k}.for")) returned 1 [0042.272] GetProcessHeap () returned 0x4e0000 [0042.273] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x543a38 | out: hHeap=0x4e0000) returned 1 [0042.273] FindNextFileW (in: hFindFile=0x535be0, lpFindFileData=0x2d8e8d8 | out: lpFindFileData=0x2d8e8d8*(dwFileAttributes=0x2026, ftCreationTime.dwLowDateTime=0x24534c56, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0xae2660aa, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0xae2660aa, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x365fc, dwReserved0=0x2d8e920, dwReserved1=0x771791c9, cFileName="Help_MKWD_AssetId.H1W", cAlternateFileName="HELP_M~1.H1W")) returned 1 [0042.273] lstrcmpiW (lpString1="Help_MKWD_AssetId.H1W", lpString2="Windows") returned -1 [0042.273] lstrcmpiW (lpString1="Help_MKWD_AssetId.H1W", lpString2="$Recycle.bin") returned 1 [0042.273] lstrcmpiW (lpString1="Help_MKWD_AssetId.H1W", lpString2="System Volume Information") returned -1 [0042.273] lstrcmpiW (lpString1="Help_MKWD_AssetId.H1W", lpString2="Program Files") returned -1 [0042.273] lstrcmpiW (lpString1="Help_MKWD_AssetId.H1W", lpString2="Program Files (x86)") returned -1 [0042.273] wnsprintfW (in: pszDest=0x543630, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help_MKWD_AssetId.H1W") returned 78 [0042.273] StrStrIW (lpFirst="Help_MKWD_AssetId.H1W", lpSrch=".for") returned 0x0 [0042.273] lstrcmpW (lpString1="Help_MKWD_AssetId.H1W", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0042.273] lstrcmpW (lpString1="Help_MKWD_AssetId.H1W", lpString2="taridd") returned -1 [0042.273] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help_MKWD_AssetId.H1W", lpStr2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\3pRMMVYZl7L6YCH05Qf1aBB2Nvhrv3", nChar=122) returned -1 [0042.273] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help_MKWD_AssetId.H1W" (normalized: "c:\\programdata\\microsoft\\assistance\\client\\1.0\\en-us\\help_mkwd_assetid.h1w"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x20c [0042.273] GetTickCount () returned 0x11450b0 [0042.273] GetTickCount () returned 0x11450b0 [0042.273] GetTickCount () returned 0x11450b0 [0042.273] GetTickCount () returned 0x11450b0 [0042.273] CryptEncrypt (in: hKey=0x4ff5a8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d8e7e8*, pdwDataLen=0x2d8e898*=0x2c, dwBufLen=0x80 | out: pbData=0x2d8e7e8*, pdwDataLen=0x2d8e898*=0x80) returned 1 [0042.273] GetProcessHeap () returned 0x4e0000 [0042.273] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x2800) returned 0x5074e0 [0042.273] ReadFile (in: hFile=0x20c, lpBuffer=0x5074e0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2d8e89c, lpOverlapped=0x0 | out: lpBuffer=0x5074e0*, lpNumberOfBytesRead=0x2d8e89c*=0x2800, lpOverlapped=0x0) returned 1 [0042.275] SetFilePointerEx (in: hFile=0x20c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0042.275] WriteFile (in: hFile=0x20c, lpBuffer=0x5074e0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2d8e89c, lpOverlapped=0x0 | out: lpBuffer=0x5074e0*, lpNumberOfBytesWritten=0x2d8e89c*=0x2800, lpOverlapped=0x0) returned 1 [0042.275] GetProcessHeap () returned 0x4e0000 [0042.275] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x5074e0 | out: hHeap=0x4e0000) returned 1 [0042.275] SetFilePointerEx (in: hFile=0x20c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0042.275] WriteFile (in: hFile=0x20c, lpBuffer=0x4ffe10*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x2d8e89c, lpOverlapped=0x0 | out: lpBuffer=0x4ffe10*, lpNumberOfBytesWritten=0x2d8e89c*=0x300, lpOverlapped=0x0) returned 1 [0042.276] WriteFile (in: hFile=0x20c, lpBuffer=0x2d8e7e8*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x2d8e89c, lpOverlapped=0x0 | out: lpBuffer=0x2d8e7e8*, lpNumberOfBytesWritten=0x2d8e89c*=0x80, lpOverlapped=0x0) returned 1 [0042.276] WriteFile (in: hFile=0x20c, lpBuffer=0x186230*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2d8e89c, lpOverlapped=0x0 | out: lpBuffer=0x186230*, lpNumberOfBytesWritten=0x2d8e89c*=0x4, lpOverlapped=0x0) returned 1 [0042.277] CloseHandle (hObject=0x20c) returned 1 [0042.277] GetProcessHeap () returned 0x4e0000 [0042.277] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x400) returned 0x543a38 [0042.277] wnsprintfW (in: pszDest=0x543a38, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help_MKWD_AssetId.H1W_forv_{KNUJ5K}.for") returned 96 [0042.277] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help_MKWD_AssetId.H1W" (normalized: "c:\\programdata\\microsoft\\assistance\\client\\1.0\\en-us\\help_mkwd_assetid.h1w"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help_MKWD_AssetId.H1W_forv_{KNUJ5K}.for" (normalized: "c:\\programdata\\microsoft\\assistance\\client\\1.0\\en-us\\help_mkwd_assetid.h1w_forv_{knuj5k}.for")) returned 1 [0042.277] GetProcessHeap () returned 0x4e0000 [0042.277] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x543a38 | out: hHeap=0x4e0000) returned 1 [0042.277] FindNextFileW (in: hFindFile=0x535be0, lpFindFileData=0x2d8e8d8 | out: lpFindFileData=0x2d8e8d8*(dwFileAttributes=0x2026, ftCreationTime.dwLowDateTime=0x24534c56, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0xae409b6f, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0xae409b6f, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x325ec, dwReserved0=0x2d8e920, dwReserved1=0x771791c9, cFileName="Help_MKWD_BestBet.H1W", cAlternateFileName="HELP_M~2.H1W")) returned 1 [0042.277] lstrcmpiW (lpString1="Help_MKWD_BestBet.H1W", lpString2="Windows") returned -1 [0042.277] lstrcmpiW (lpString1="Help_MKWD_BestBet.H1W", lpString2="$Recycle.bin") returned 1 [0042.277] lstrcmpiW (lpString1="Help_MKWD_BestBet.H1W", lpString2="System Volume Information") returned -1 [0042.277] lstrcmpiW (lpString1="Help_MKWD_BestBet.H1W", lpString2="Program Files") returned -1 [0042.277] lstrcmpiW (lpString1="Help_MKWD_BestBet.H1W", lpString2="Program Files (x86)") returned -1 [0042.277] wnsprintfW (in: pszDest=0x543630, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help_MKWD_BestBet.H1W") returned 78 [0042.277] StrStrIW (lpFirst="Help_MKWD_BestBet.H1W", lpSrch=".for") returned 0x0 [0042.277] lstrcmpW (lpString1="Help_MKWD_BestBet.H1W", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0042.278] lstrcmpW (lpString1="Help_MKWD_BestBet.H1W", lpString2="taridd") returned -1 [0042.278] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help_MKWD_BestBet.H1W", lpStr2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\3pRMMVYZl7L6YCH05Qf1aBB2Nvhrv3", nChar=122) returned -1 [0042.278] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help_MKWD_BestBet.H1W" (normalized: "c:\\programdata\\microsoft\\assistance\\client\\1.0\\en-us\\help_mkwd_bestbet.h1w"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x20c [0042.278] GetTickCount () returned 0x11450bf [0042.278] GetTickCount () returned 0x11450bf [0042.278] GetTickCount () returned 0x11450bf [0042.278] GetTickCount () returned 0x11450bf [0042.278] CryptEncrypt (in: hKey=0x4ff5a8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d8e7e8*, pdwDataLen=0x2d8e898*=0x2c, dwBufLen=0x80 | out: pbData=0x2d8e7e8*, pdwDataLen=0x2d8e898*=0x80) returned 1 [0042.279] GetProcessHeap () returned 0x4e0000 [0042.279] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x2800) returned 0x5074e0 [0042.279] ReadFile (in: hFile=0x20c, lpBuffer=0x5074e0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2d8e89c, lpOverlapped=0x0 | out: lpBuffer=0x5074e0*, lpNumberOfBytesRead=0x2d8e89c*=0x2800, lpOverlapped=0x0) returned 1 [0042.280] SetFilePointerEx (in: hFile=0x20c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0042.281] WriteFile (in: hFile=0x20c, lpBuffer=0x5074e0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2d8e89c, lpOverlapped=0x0 | out: lpBuffer=0x5074e0*, lpNumberOfBytesWritten=0x2d8e89c*=0x2800, lpOverlapped=0x0) returned 1 [0042.281] GetProcessHeap () returned 0x4e0000 [0042.281] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x5074e0 | out: hHeap=0x4e0000) returned 1 [0042.281] SetFilePointerEx (in: hFile=0x20c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0042.281] WriteFile (in: hFile=0x20c, lpBuffer=0x4ffe10*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x2d8e89c, lpOverlapped=0x0 | out: lpBuffer=0x4ffe10*, lpNumberOfBytesWritten=0x2d8e89c*=0x300, lpOverlapped=0x0) returned 1 [0042.282] WriteFile (in: hFile=0x20c, lpBuffer=0x2d8e7e8*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x2d8e89c, lpOverlapped=0x0 | out: lpBuffer=0x2d8e7e8*, lpNumberOfBytesWritten=0x2d8e89c*=0x80, lpOverlapped=0x0) returned 1 [0042.282] WriteFile (in: hFile=0x20c, lpBuffer=0x186230*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2d8e89c, lpOverlapped=0x0 | out: lpBuffer=0x186230*, lpNumberOfBytesWritten=0x2d8e89c*=0x4, lpOverlapped=0x0) returned 1 [0042.282] CloseHandle (hObject=0x20c) returned 1 [0042.282] GetProcessHeap () returned 0x4e0000 [0042.283] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x400) returned 0x543a38 [0042.283] wnsprintfW (in: pszDest=0x543a38, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help_MKWD_BestBet.H1W_forv_{KNUJ5K}.for") returned 96 [0042.283] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help_MKWD_BestBet.H1W" (normalized: "c:\\programdata\\microsoft\\assistance\\client\\1.0\\en-us\\help_mkwd_bestbet.h1w"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help_MKWD_BestBet.H1W_forv_{KNUJ5K}.for" (normalized: "c:\\programdata\\microsoft\\assistance\\client\\1.0\\en-us\\help_mkwd_bestbet.h1w_forv_{knuj5k}.for")) returned 1 [0042.283] GetProcessHeap () returned 0x4e0000 [0042.283] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x543a38 | out: hHeap=0x4e0000) returned 1 [0042.283] FindNextFileW (in: hFindFile=0x535be0, lpFindFileData=0x2d8e8d8 | out: lpFindFileData=0x2d8e8d8*(dwFileAttributes=0x2026, ftCreationTime.dwLowDateTime=0x24534c56, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0xae45604d, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0xae45604d, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x79f1a, dwReserved0=0x2d8e920, dwReserved1=0x771791c9, cFileName="Help_MTOC_help.H1H", cAlternateFileName="HELP_M~1.H1H")) returned 1 [0042.283] lstrcmpiW (lpString1="Help_MTOC_help.H1H", lpString2="Windows") returned -1 [0042.283] lstrcmpiW (lpString1="Help_MTOC_help.H1H", lpString2="$Recycle.bin") returned 1 [0042.283] lstrcmpiW (lpString1="Help_MTOC_help.H1H", lpString2="System Volume Information") returned -1 [0042.283] lstrcmpiW (lpString1="Help_MTOC_help.H1H", lpString2="Program Files") returned -1 [0042.283] lstrcmpiW (lpString1="Help_MTOC_help.H1H", lpString2="Program Files (x86)") returned -1 [0042.283] wnsprintfW (in: pszDest=0x543630, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help_MTOC_help.H1H") returned 75 [0042.283] StrStrIW (lpFirst="Help_MTOC_help.H1H", lpSrch=".for") returned 0x0 [0042.283] lstrcmpW (lpString1="Help_MTOC_help.H1H", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0042.283] lstrcmpW (lpString1="Help_MTOC_help.H1H", lpString2="taridd") returned -1 [0042.283] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help_MTOC_help.H1H", lpStr2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\3pRMMVYZl7L6YCH05Qf1aBB2Nvhrv3", nChar=122) returned -1 [0042.283] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help_MTOC_help.H1H" (normalized: "c:\\programdata\\microsoft\\assistance\\client\\1.0\\en-us\\help_mtoc_help.h1h"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x20c [0042.284] GetTickCount () returned 0x11450bf [0042.284] GetTickCount () returned 0x11450bf [0042.284] GetTickCount () returned 0x11450bf [0042.284] GetTickCount () returned 0x11450bf [0042.284] CryptEncrypt (in: hKey=0x4ff5a8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d8e7e8*, pdwDataLen=0x2d8e898*=0x2c, dwBufLen=0x80 | out: pbData=0x2d8e7e8*, pdwDataLen=0x2d8e898*=0x80) returned 1 [0042.284] GetProcessHeap () returned 0x4e0000 [0042.284] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x2800) returned 0x5074e0 [0042.284] ReadFile (in: hFile=0x20c, lpBuffer=0x5074e0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2d8e89c, lpOverlapped=0x0 | out: lpBuffer=0x5074e0*, lpNumberOfBytesRead=0x2d8e89c*=0x2800, lpOverlapped=0x0) returned 1 [0042.286] SetFilePointerEx (in: hFile=0x20c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0042.286] WriteFile (in: hFile=0x20c, lpBuffer=0x5074e0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2d8e89c, lpOverlapped=0x0 | out: lpBuffer=0x5074e0*, lpNumberOfBytesWritten=0x2d8e89c*=0x2800, lpOverlapped=0x0) returned 1 [0042.286] GetProcessHeap () returned 0x4e0000 [0042.286] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x5074e0 | out: hHeap=0x4e0000) returned 1 [0042.286] SetFilePointerEx (in: hFile=0x20c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0042.286] WriteFile (in: hFile=0x20c, lpBuffer=0x4ffe10*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x2d8e89c, lpOverlapped=0x0 | out: lpBuffer=0x4ffe10*, lpNumberOfBytesWritten=0x2d8e89c*=0x300, lpOverlapped=0x0) returned 1 [0042.288] WriteFile (in: hFile=0x20c, lpBuffer=0x2d8e7e8*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x2d8e89c, lpOverlapped=0x0 | out: lpBuffer=0x2d8e7e8*, lpNumberOfBytesWritten=0x2d8e89c*=0x80, lpOverlapped=0x0) returned 1 [0042.288] WriteFile (in: hFile=0x20c, lpBuffer=0x186230*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2d8e89c, lpOverlapped=0x0 | out: lpBuffer=0x186230*, lpNumberOfBytesWritten=0x2d8e89c*=0x4, lpOverlapped=0x0) returned 1 [0042.288] CloseHandle (hObject=0x20c) returned 1 [0042.288] GetProcessHeap () returned 0x4e0000 [0042.288] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x400) returned 0x543a38 [0042.288] wnsprintfW (in: pszDest=0x543a38, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help_MTOC_help.H1H_forv_{KNUJ5K}.for") returned 93 [0042.288] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help_MTOC_help.H1H" (normalized: "c:\\programdata\\microsoft\\assistance\\client\\1.0\\en-us\\help_mtoc_help.h1h"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help_MTOC_help.H1H_forv_{KNUJ5K}.for" (normalized: "c:\\programdata\\microsoft\\assistance\\client\\1.0\\en-us\\help_mtoc_help.h1h_forv_{knuj5k}.for")) returned 1 [0042.289] GetProcessHeap () returned 0x4e0000 [0042.289] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x543a38 | out: hHeap=0x4e0000) returned 1 [0042.289] FindNextFileW (in: hFindFile=0x535be0, lpFindFileData=0x2d8e8d8 | out: lpFindFileData=0x2d8e8d8*(dwFileAttributes=0x2026, ftCreationTime.dwLowDateTime=0x26353250, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0xae45604d, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0xae45604d, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x3944, dwReserved0=0x2d8e920, dwReserved1=0x771791c9, cFileName="Help_MValidator.H1D", cAlternateFileName="HELP_M~1.H1D")) returned 1 [0042.289] lstrcmpiW (lpString1="Help_MValidator.H1D", lpString2="Windows") returned -1 [0042.289] lstrcmpiW (lpString1="Help_MValidator.H1D", lpString2="$Recycle.bin") returned 1 [0042.289] lstrcmpiW (lpString1="Help_MValidator.H1D", lpString2="System Volume Information") returned -1 [0042.289] lstrcmpiW (lpString1="Help_MValidator.H1D", lpString2="Program Files") returned -1 [0042.289] lstrcmpiW (lpString1="Help_MValidator.H1D", lpString2="Program Files (x86)") returned -1 [0042.289] wnsprintfW (in: pszDest=0x543630, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help_MValidator.H1D") returned 76 [0042.289] StrStrIW (lpFirst="Help_MValidator.H1D", lpSrch=".for") returned 0x0 [0042.289] lstrcmpW (lpString1="Help_MValidator.H1D", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0042.289] lstrcmpW (lpString1="Help_MValidator.H1D", lpString2="taridd") returned -1 [0042.289] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help_MValidator.H1D", lpStr2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\3pRMMVYZl7L6YCH05Qf1aBB2Nvhrv3", nChar=122) returned -1 [0042.289] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help_MValidator.H1D" (normalized: "c:\\programdata\\microsoft\\assistance\\client\\1.0\\en-us\\help_mvalidator.h1d"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x20c [0042.289] GetTickCount () returned 0x11450bf [0042.289] GetTickCount () returned 0x11450bf [0042.289] GetTickCount () returned 0x11450bf [0042.289] GetTickCount () returned 0x11450bf [0042.289] CryptEncrypt (in: hKey=0x4ff5a8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d8e7e8*, pdwDataLen=0x2d8e898*=0x2c, dwBufLen=0x80 | out: pbData=0x2d8e7e8*, pdwDataLen=0x2d8e898*=0x80) returned 1 [0042.290] GetProcessHeap () returned 0x4e0000 [0042.290] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x2800) returned 0x5074e0 [0042.290] ReadFile (in: hFile=0x20c, lpBuffer=0x5074e0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2d8e89c, lpOverlapped=0x0 | out: lpBuffer=0x5074e0*, lpNumberOfBytesRead=0x2d8e89c*=0x2800, lpOverlapped=0x0) returned 1 [0042.291] SetFilePointerEx (in: hFile=0x20c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0042.292] WriteFile (in: hFile=0x20c, lpBuffer=0x5074e0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2d8e89c, lpOverlapped=0x0 | out: lpBuffer=0x5074e0*, lpNumberOfBytesWritten=0x2d8e89c*=0x2800, lpOverlapped=0x0) returned 1 [0042.292] GetProcessHeap () returned 0x4e0000 [0042.292] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x5074e0 | out: hHeap=0x4e0000) returned 1 [0042.292] SetFilePointerEx (in: hFile=0x20c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0042.292] WriteFile (in: hFile=0x20c, lpBuffer=0x4ffe10*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x2d8e89c, lpOverlapped=0x0 | out: lpBuffer=0x4ffe10*, lpNumberOfBytesWritten=0x2d8e89c*=0x300, lpOverlapped=0x0) returned 1 [0042.292] WriteFile (in: hFile=0x20c, lpBuffer=0x2d8e7e8*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x2d8e89c, lpOverlapped=0x0 | out: lpBuffer=0x2d8e7e8*, lpNumberOfBytesWritten=0x2d8e89c*=0x80, lpOverlapped=0x0) returned 1 [0042.292] WriteFile (in: hFile=0x20c, lpBuffer=0x186230*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2d8e89c, lpOverlapped=0x0 | out: lpBuffer=0x186230*, lpNumberOfBytesWritten=0x2d8e89c*=0x4, lpOverlapped=0x0) returned 1 [0042.292] CloseHandle (hObject=0x20c) returned 1 [0042.292] GetProcessHeap () returned 0x4e0000 [0042.292] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x400) returned 0x543a38 [0042.292] wnsprintfW (in: pszDest=0x543a38, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help_MValidator.H1D_forv_{KNUJ5K}.for") returned 94 [0042.293] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help_MValidator.H1D" (normalized: "c:\\programdata\\microsoft\\assistance\\client\\1.0\\en-us\\help_mvalidator.h1d"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help_MValidator.H1D_forv_{KNUJ5K}.for" (normalized: "c:\\programdata\\microsoft\\assistance\\client\\1.0\\en-us\\help_mvalidator.h1d_forv_{knuj5k}.for")) returned 1 [0042.293] GetProcessHeap () returned 0x4e0000 [0042.293] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x543a38 | out: hHeap=0x4e0000) returned 1 [0042.293] FindNextFileW (in: hFindFile=0x535be0, lpFindFileData=0x2d8e8d8 | out: lpFindFileData=0x2d8e8d8*(dwFileAttributes=0x2026, ftCreationTime.dwLowDateTime=0x24534c56, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0xae45604d, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0xae45604d, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x4, dwReserved0=0x2d8e920, dwReserved1=0x771791c9, cFileName="Help_MValidator.Lck", cAlternateFileName="HELP_M~1.LCK")) returned 1 [0042.293] lstrcmpiW (lpString1="Help_MValidator.Lck", lpString2="Windows") returned -1 [0042.293] lstrcmpiW (lpString1="Help_MValidator.Lck", lpString2="$Recycle.bin") returned 1 [0042.293] lstrcmpiW (lpString1="Help_MValidator.Lck", lpString2="System Volume Information") returned -1 [0042.293] lstrcmpiW (lpString1="Help_MValidator.Lck", lpString2="Program Files") returned -1 [0042.293] lstrcmpiW (lpString1="Help_MValidator.Lck", lpString2="Program Files (x86)") returned -1 [0042.293] wnsprintfW (in: pszDest=0x543630, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help_MValidator.Lck") returned 76 [0042.293] StrStrIW (lpFirst="Help_MValidator.Lck", lpSrch=".for") returned 0x0 [0042.293] lstrcmpW (lpString1="Help_MValidator.Lck", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0042.293] lstrcmpW (lpString1="Help_MValidator.Lck", lpString2="taridd") returned -1 [0042.293] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help_MValidator.Lck", lpStr2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\3pRMMVYZl7L6YCH05Qf1aBB2Nvhrv3", nChar=122) returned -1 [0042.293] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help_MValidator.Lck" (normalized: "c:\\programdata\\microsoft\\assistance\\client\\1.0\\en-us\\help_mvalidator.lck"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x20c [0042.293] GetTickCount () returned 0x11450cf [0042.293] GetTickCount () returned 0x11450cf [0042.293] GetTickCount () returned 0x11450cf [0042.293] GetTickCount () returned 0x11450cf [0042.294] CryptEncrypt (in: hKey=0x4ff5a8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d8e7e8*, pdwDataLen=0x2d8e898*=0x2c, dwBufLen=0x80 | out: pbData=0x2d8e7e8*, pdwDataLen=0x2d8e898*=0x80) returned 1 [0042.294] GetProcessHeap () returned 0x4e0000 [0042.294] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x2800) returned 0x5074e0 [0042.294] ReadFile (in: hFile=0x20c, lpBuffer=0x5074e0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2d8e89c, lpOverlapped=0x0 | out: lpBuffer=0x5074e0*, lpNumberOfBytesRead=0x2d8e89c*=0x4, lpOverlapped=0x0) returned 1 [0042.294] SetFilePointerEx (in: hFile=0x20c, liDistanceToMove=0xfffffffc, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0042.294] WriteFile (in: hFile=0x20c, lpBuffer=0x5074e0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2d8e89c, lpOverlapped=0x0 | out: lpBuffer=0x5074e0*, lpNumberOfBytesWritten=0x2d8e89c*=0x4, lpOverlapped=0x0) returned 1 [0042.295] GetProcessHeap () returned 0x4e0000 [0042.295] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x5074e0 | out: hHeap=0x4e0000) returned 1 [0042.295] SetFilePointerEx (in: hFile=0x20c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0042.295] WriteFile (in: hFile=0x20c, lpBuffer=0x4ffe10*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x2d8e89c, lpOverlapped=0x0 | out: lpBuffer=0x4ffe10*, lpNumberOfBytesWritten=0x2d8e89c*=0x300, lpOverlapped=0x0) returned 1 [0042.295] WriteFile (in: hFile=0x20c, lpBuffer=0x2d8e7e8*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x2d8e89c, lpOverlapped=0x0 | out: lpBuffer=0x2d8e7e8*, lpNumberOfBytesWritten=0x2d8e89c*=0x80, lpOverlapped=0x0) returned 1 [0042.295] WriteFile (in: hFile=0x20c, lpBuffer=0x186230*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2d8e89c, lpOverlapped=0x0 | out: lpBuffer=0x186230*, lpNumberOfBytesWritten=0x2d8e89c*=0x4, lpOverlapped=0x0) returned 1 [0042.295] CloseHandle (hObject=0x20c) returned 1 [0042.295] GetProcessHeap () returned 0x4e0000 [0042.295] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x400) returned 0x543a38 [0042.295] wnsprintfW (in: pszDest=0x543a38, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help_MValidator.Lck_forv_{KNUJ5K}.for") returned 94 [0042.295] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help_MValidator.Lck" (normalized: "c:\\programdata\\microsoft\\assistance\\client\\1.0\\en-us\\help_mvalidator.lck"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help_MValidator.Lck_forv_{KNUJ5K}.for" (normalized: "c:\\programdata\\microsoft\\assistance\\client\\1.0\\en-us\\help_mvalidator.lck_forv_{knuj5k}.for")) returned 1 [0042.296] GetProcessHeap () returned 0x4e0000 [0042.296] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x543a38 | out: hHeap=0x4e0000) returned 1 [0042.296] FindNextFileW (in: hFindFile=0x535be0, lpFindFileData=0x2d8e8d8 | out: lpFindFileData=0x2d8e8d8*(dwFileAttributes=0x2026, ftCreationTime.dwLowDateTime=0x249fa376, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0xae0e8854, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0xae0e8854, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0xd5310, dwReserved0=0x2d8e920, dwReserved1=0x771791c9, cFileName="Help{9DAA54E8-CD95-4107-8E7F-BA3F24732D95}.H1Q", cAlternateFileName="HELP{9~1.H1Q")) returned 1 [0042.296] lstrcmpiW (lpString1="Help{9DAA54E8-CD95-4107-8E7F-BA3F24732D95}.H1Q", lpString2="Windows") returned -1 [0042.296] lstrcmpiW (lpString1="Help{9DAA54E8-CD95-4107-8E7F-BA3F24732D95}.H1Q", lpString2="$Recycle.bin") returned 1 [0042.296] lstrcmpiW (lpString1="Help{9DAA54E8-CD95-4107-8E7F-BA3F24732D95}.H1Q", lpString2="System Volume Information") returned -1 [0042.296] lstrcmpiW (lpString1="Help{9DAA54E8-CD95-4107-8E7F-BA3F24732D95}.H1Q", lpString2="Program Files") returned -1 [0042.296] lstrcmpiW (lpString1="Help{9DAA54E8-CD95-4107-8E7F-BA3F24732D95}.H1Q", lpString2="Program Files (x86)") returned -1 [0042.296] wnsprintfW (in: pszDest=0x543630, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help{9DAA54E8-CD95-4107-8E7F-BA3F24732D95}.H1Q") returned 103 [0042.296] StrStrIW (lpFirst="Help{9DAA54E8-CD95-4107-8E7F-BA3F24732D95}.H1Q", lpSrch=".for") returned 0x0 [0042.296] lstrcmpW (lpString1="Help{9DAA54E8-CD95-4107-8E7F-BA3F24732D95}.H1Q", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0042.296] lstrcmpW (lpString1="Help{9DAA54E8-CD95-4107-8E7F-BA3F24732D95}.H1Q", lpString2="taridd") returned -1 [0042.296] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help{9DAA54E8-CD95-4107-8E7F-BA3F24732D95}.H1Q", lpStr2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\3pRMMVYZl7L6YCH05Qf1aBB2Nvhrv3", nChar=122) returned -1 [0042.296] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help{9DAA54E8-CD95-4107-8E7F-BA3F24732D95}.H1Q" (normalized: "c:\\programdata\\microsoft\\assistance\\client\\1.0\\en-us\\help{9daa54e8-cd95-4107-8e7f-ba3f24732d95}.h1q"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x20c [0042.296] GetTickCount () returned 0x11450cf [0042.296] GetTickCount () returned 0x11450cf [0042.296] GetTickCount () returned 0x11450cf [0042.296] GetTickCount () returned 0x11450cf [0042.296] CryptEncrypt (in: hKey=0x4ff5a8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d8e7e8*, pdwDataLen=0x2d8e898*=0x2c, dwBufLen=0x80 | out: pbData=0x2d8e7e8*, pdwDataLen=0x2d8e898*=0x80) returned 1 [0042.296] GetProcessHeap () returned 0x4e0000 [0042.296] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x2800) returned 0x5074e0 [0042.296] ReadFile (in: hFile=0x20c, lpBuffer=0x5074e0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2d8e89c, lpOverlapped=0x0 | out: lpBuffer=0x5074e0*, lpNumberOfBytesRead=0x2d8e89c*=0x2800, lpOverlapped=0x0) returned 1 [0042.298] SetFilePointerEx (in: hFile=0x20c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0042.298] WriteFile (in: hFile=0x20c, lpBuffer=0x5074e0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2d8e89c, lpOverlapped=0x0 | out: lpBuffer=0x5074e0*, lpNumberOfBytesWritten=0x2d8e89c*=0x2800, lpOverlapped=0x0) returned 1 [0042.298] GetProcessHeap () returned 0x4e0000 [0042.298] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x5074e0 | out: hHeap=0x4e0000) returned 1 [0042.298] SetFilePointerEx (in: hFile=0x20c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0042.298] WriteFile (in: hFile=0x20c, lpBuffer=0x4ffe10*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x2d8e89c, lpOverlapped=0x0 | out: lpBuffer=0x4ffe10*, lpNumberOfBytesWritten=0x2d8e89c*=0x300, lpOverlapped=0x0) returned 1 [0042.301] WriteFile (in: hFile=0x20c, lpBuffer=0x2d8e7e8*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x2d8e89c, lpOverlapped=0x0 | out: lpBuffer=0x2d8e7e8*, lpNumberOfBytesWritten=0x2d8e89c*=0x80, lpOverlapped=0x0) returned 1 [0042.301] WriteFile (in: hFile=0x20c, lpBuffer=0x186230*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2d8e89c, lpOverlapped=0x0 | out: lpBuffer=0x186230*, lpNumberOfBytesWritten=0x2d8e89c*=0x4, lpOverlapped=0x0) returned 1 [0042.301] CloseHandle (hObject=0x20c) returned 1 [0042.301] GetProcessHeap () returned 0x4e0000 [0042.301] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x400) returned 0x543a38 [0042.301] wnsprintfW (in: pszDest=0x543a38, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help{9DAA54E8-CD95-4107-8E7F-BA3F24732D95}.H1Q_forv_{KNUJ5K}.for") returned 121 [0042.301] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help{9DAA54E8-CD95-4107-8E7F-BA3F24732D95}.H1Q" (normalized: "c:\\programdata\\microsoft\\assistance\\client\\1.0\\en-us\\help{9daa54e8-cd95-4107-8e7f-ba3f24732d95}.h1q"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help{9DAA54E8-CD95-4107-8E7F-BA3F24732D95}.H1Q_forv_{KNUJ5K}.for" (normalized: "c:\\programdata\\microsoft\\assistance\\client\\1.0\\en-us\\help{9daa54e8-cd95-4107-8e7f-ba3f24732d95}.h1q_forv_{knuj5k}.for")) returned 1 [0042.301] GetProcessHeap () returned 0x4e0000 [0042.301] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x543a38 | out: hHeap=0x4e0000) returned 1 [0042.301] FindNextFileW (in: hFindFile=0x535be0, lpFindFileData=0x2d8e8d8 | out: lpFindFileData=0x2d8e8d8*(dwFileAttributes=0x2026, ftCreationTime.dwLowDateTime=0x249fa376, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0xae0e8854, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0xae0e8854, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0xd5310, dwReserved0=0x2d8e920, dwReserved1=0x771791c9, cFileName="Help{9DAA54E8-CD95-4107-8E7F-BA3F24732D95}.H1Q", cAlternateFileName="HELP{9~1.H1Q")) returned 0 [0042.301] FindClose (in: hFindFile=0x535be0 | out: hFindFile=0x535be0) returned 1 [0042.302] wnsprintfW (in: pszDest=0x543630, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\Client\\1.0\\en-US\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 88 [0042.302] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\Client\\1.0\\en-US\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\microsoft\\assistance\\client\\1.0\\en-us\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x210 [0042.303] WriteFile (in: hFile=0x210, lpBuffer=0x186440*, nNumberOfBytesToWrite=0x2b0, lpNumberOfBytesWritten=0x2d8e8a4, lpOverlapped=0x0 | out: lpBuffer=0x186440*, lpNumberOfBytesWritten=0x2d8e8a4*=0x2b0, lpOverlapped=0x0) returned 1 [0042.303] CloseHandle (hObject=0x210) returned 1 [0042.304] GetProcessHeap () returned 0x4e0000 [0042.304] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x543630 | out: hHeap=0x4e0000) returned 1 [0042.304] FindNextFileW (in: hFindFile=0x535ba0, lpFindFileData=0x2d8eb60 | out: lpFindFileData=0x2d8eb60*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x243448f1, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0xae0e8854, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0xae0e8854, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x50c758, dwReserved1=0x2d8ec64, cFileName="en-US", cAlternateFileName="")) returned 0 [0042.304] FindClose (in: hFindFile=0x535ba0 | out: hFindFile=0x535ba0) returned 1 [0042.304] wnsprintfW (in: pszDest=0x543228, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\Client\\1.0\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 82 [0042.304] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\Client\\1.0\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\microsoft\\assistance\\client\\1.0\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x204 [0042.304] WriteFile (in: hFile=0x204, lpBuffer=0x186440*, nNumberOfBytesToWrite=0x2b0, lpNumberOfBytesWritten=0x2d8eb2c, lpOverlapped=0x0 | out: lpBuffer=0x186440*, lpNumberOfBytesWritten=0x2d8eb2c*=0x2b0, lpOverlapped=0x0) returned 1 [0042.305] CloseHandle (hObject=0x204) returned 1 [0042.305] GetProcessHeap () returned 0x4e0000 [0042.305] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x543228 | out: hHeap=0x4e0000) returned 1 [0042.305] FindNextFileW (in: hFindFile=0x535b60, lpFindFileData=0x2d8ede8 | out: lpFindFileData=0x2d8ede8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x3fc949a4, ftCreationTime.dwHighDateTime=0x1ca0445, ftLastAccessTime.dwLowDateTime=0xa8f17049, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0x243448f1, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5306c8, dwReserved1=0x0, cFileName="1.0", cAlternateFileName="")) returned 0 [0042.305] FindClose (in: hFindFile=0x535b60 | out: hFindFile=0x535b60) returned 1 [0042.305] wnsprintfW (in: pszDest=0x5306d0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\Client\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 78 [0042.305] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\Client\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\microsoft\\assistance\\client\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x208 [0042.306] WriteFile (in: hFile=0x208, lpBuffer=0x186440*, nNumberOfBytesToWrite=0x2b0, lpNumberOfBytesWritten=0x2d8edb4, lpOverlapped=0x0 | out: lpBuffer=0x186440*, lpNumberOfBytesWritten=0x2d8edb4*=0x2b0, lpOverlapped=0x0) returned 1 [0042.307] CloseHandle (hObject=0x208) returned 1 [0042.307] GetProcessHeap () returned 0x4e0000 [0042.307] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x5306d0 | out: hHeap=0x4e0000) returned 1 [0042.307] FindNextFileW (in: hFindFile=0x535b20, lpFindFileData=0x2d8f070 | out: lpFindFileData=0x2d8f070*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x3fc949a4, ftCreationTime.dwHighDateTime=0x1ca0445, ftLastAccessTime.dwLowDateTime=0x3fc949a4, ftLastAccessTime.dwHighDateTime=0x1ca0445, ftLastWriteTime.dwLowDateTime=0x3fc949a4, ftLastWriteTime.dwHighDateTime=0x1ca0445, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Client", cAlternateFileName="")) returned 0 [0042.307] FindClose (in: hFindFile=0x535b20 | out: hFindFile=0x535b20) returned 1 [0042.307] wnsprintfW (in: pszDest=0x542af8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 71 [0042.307] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\microsoft\\assistance\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x150 [0042.307] WriteFile (in: hFile=0x150, lpBuffer=0x186440*, nNumberOfBytesToWrite=0x2b0, lpNumberOfBytesWritten=0x2d8f03c, lpOverlapped=0x0 | out: lpBuffer=0x186440*, lpNumberOfBytesWritten=0x2d8f03c*=0x2b0, lpOverlapped=0x0) returned 1 [0042.308] CloseHandle (hObject=0x150) returned 1 [0042.308] GetProcessHeap () returned 0x4e0000 [0042.308] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x542af8 | out: hHeap=0x4e0000) returned 1 [0042.308] FindNextFileW (in: hFindFile=0x535ae0, lpFindFileData=0x2d8f2f8 | out: lpFindFileData=0x2d8f2f8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfd943744, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd96989e, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd96989e, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Crypto", cAlternateFileName="")) returned 1 [0042.308] lstrcmpiW (lpString1="Crypto", lpString2="Windows") returned -1 [0042.308] lstrcmpiW (lpString1="Crypto", lpString2="$Recycle.bin") returned 1 [0042.308] lstrcmpiW (lpString1="Crypto", lpString2="System Volume Information") returned -1 [0042.308] lstrcmpiW (lpString1="Crypto", lpString2="Program Files") returned -1 [0042.308] lstrcmpiW (lpString1="Crypto", lpString2="Program Files (x86)") returned -1 [0042.308] wnsprintfW (in: pszDest=0x511b40, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto") returned 35 [0042.309] lstrcmpW (lpString1="Crypto", lpString2=".") returned 1 [0042.309] lstrcmpW (lpString1="Crypto", lpString2="..") returned 1 [0042.309] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0042.309] GetProcessHeap () returned 0x4e0000 [0042.309] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x400) returned 0x542af8 [0042.309] wnsprintfW (in: pszDest=0x542af8, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\*") returned 37 [0042.309] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\*", lpFindFileData=0x2d8f070 | out: lpFindFileData=0x2d8f070*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfd943744, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd96989e, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd96989e, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x535b20 [0042.309] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0042.309] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0042.309] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0042.309] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0042.309] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0042.309] wnsprintfW (in: pszDest=0x542af8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\.") returned 37 [0042.309] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0042.309] FindNextFileW (in: hFindFile=0x535b20, lpFindFileData=0x2d8f070 | out: lpFindFileData=0x2d8f070*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfd943744, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd96989e, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd96989e, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0042.309] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0042.309] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0042.309] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0042.309] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0042.309] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0042.309] wnsprintfW (in: pszDest=0x542af8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\..") returned 38 [0042.309] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0042.309] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0042.309] FindNextFileW (in: hFindFile=0x535b20, lpFindFileData=0x2d8f070 | out: lpFindFileData=0x2d8f070*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfd943744, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd943744, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd943744, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="DSS", cAlternateFileName="")) returned 1 [0042.309] lstrcmpiW (lpString1="DSS", lpString2="Windows") returned -1 [0042.309] lstrcmpiW (lpString1="DSS", lpString2="$Recycle.bin") returned 1 [0042.309] lstrcmpiW (lpString1="DSS", lpString2="System Volume Information") returned -1 [0042.309] lstrcmpiW (lpString1="DSS", lpString2="Program Files") returned -1 [0042.309] lstrcmpiW (lpString1="DSS", lpString2="Program Files (x86)") returned -1 [0042.310] wnsprintfW (in: pszDest=0x542af8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\DSS") returned 39 [0042.310] lstrcmpW (lpString1="DSS", lpString2=".") returned 1 [0042.310] lstrcmpW (lpString1="DSS", lpString2="..") returned 1 [0042.310] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\DSS", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0042.310] GetProcessHeap () returned 0x4e0000 [0042.310] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x400) returned 0x5306d0 [0042.310] wnsprintfW (in: pszDest=0x5306d0, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\DSS\\*") returned 41 [0042.310] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\DSS\\*", lpFindFileData=0x2d8ede8 | out: lpFindFileData=0x2d8ede8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfd943744, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd943744, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd943744, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5306c8, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x535b60 [0042.310] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0042.310] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0042.310] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0042.310] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0042.310] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0042.310] wnsprintfW (in: pszDest=0x5306d0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\DSS\\.") returned 41 [0042.310] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0042.310] FindNextFileW (in: hFindFile=0x535b60, lpFindFileData=0x2d8ede8 | out: lpFindFileData=0x2d8ede8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfd943744, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd943744, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd943744, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5306c8, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0042.310] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0042.310] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0042.310] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0042.310] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0042.310] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0042.310] wnsprintfW (in: pszDest=0x5306d0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\DSS\\..") returned 42 [0042.310] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0042.310] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0042.310] FindNextFileW (in: hFindFile=0x535b60, lpFindFileData=0x2d8ede8 | out: lpFindFileData=0x2d8ede8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd943744, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd943744, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xb66d81ea, ftLastWriteTime.dwHighDateTime=0x1ca042b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5306c8, dwReserved1=0x0, cFileName="MachineKeys", cAlternateFileName="MACHIN~1")) returned 1 [0042.310] lstrcmpiW (lpString1="MachineKeys", lpString2="Windows") returned -1 [0042.310] lstrcmpiW (lpString1="MachineKeys", lpString2="$Recycle.bin") returned 1 [0042.310] lstrcmpiW (lpString1="MachineKeys", lpString2="System Volume Information") returned -1 [0042.310] lstrcmpiW (lpString1="MachineKeys", lpString2="Program Files") returned -1 [0042.310] lstrcmpiW (lpString1="MachineKeys", lpString2="Program Files (x86)") returned -1 [0042.310] wnsprintfW (in: pszDest=0x5306d0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\DSS\\MachineKeys") returned 51 [0042.311] lstrcmpW (lpString1="MachineKeys", lpString2=".") returned 1 [0042.311] lstrcmpW (lpString1="MachineKeys", lpString2="..") returned 1 [0042.311] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\DSS\\MachineKeys", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0042.311] GetProcessHeap () returned 0x4e0000 [0042.311] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x400) returned 0x543228 [0042.311] wnsprintfW (in: pszDest=0x543228, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\DSS\\MachineKeys\\*") returned 53 [0042.311] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\DSS\\MachineKeys\\*", lpFindFileData=0x2d8eb60 | out: lpFindFileData=0x2d8eb60*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd943744, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd943744, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xb66d81ea, ftLastWriteTime.dwHighDateTime=0x1ca042b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x50c758, dwReserved1=0x2d8ec64, cFileName=".", cAlternateFileName="")) returned 0x535ba0 [0042.311] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0042.311] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0042.311] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0042.311] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0042.311] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0042.311] wnsprintfW (in: pszDest=0x543228, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\DSS\\MachineKeys\\.") returned 53 [0042.311] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0042.311] FindNextFileW (in: hFindFile=0x535ba0, lpFindFileData=0x2d8eb60 | out: lpFindFileData=0x2d8eb60*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd943744, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd943744, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xb66d81ea, ftLastWriteTime.dwHighDateTime=0x1ca042b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x50c758, dwReserved1=0x2d8ec64, cFileName="..", cAlternateFileName="")) returned 1 [0042.311] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0042.311] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0042.311] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0042.311] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0042.311] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0042.311] wnsprintfW (in: pszDest=0x543228, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\DSS\\MachineKeys\\..") returned 54 [0042.311] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0042.311] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0042.311] FindNextFileW (in: hFindFile=0x535ba0, lpFindFileData=0x2d8eb60 | out: lpFindFileData=0x2d8eb60*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd943744, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd943744, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xb66d81ea, ftLastWriteTime.dwHighDateTime=0x1ca042b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x50c758, dwReserved1=0x2d8ec64, cFileName="..", cAlternateFileName="")) returned 0 [0042.311] FindClose (in: hFindFile=0x535ba0 | out: hFindFile=0x535ba0) returned 1 [0042.311] wnsprintfW (in: pszDest=0x543228, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\DSS\\MachineKeys\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 83 [0042.311] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\DSS\\MachineKeys\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\microsoft\\crypto\\dss\\machinekeys\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x204 [0042.319] WriteFile (in: hFile=0x204, lpBuffer=0x186440*, nNumberOfBytesToWrite=0x2b0, lpNumberOfBytesWritten=0x2d8eb2c, lpOverlapped=0x0 | out: lpBuffer=0x186440*, lpNumberOfBytesWritten=0x2d8eb2c*=0x2b0, lpOverlapped=0x0) returned 1 [0042.322] CloseHandle (hObject=0x204) returned 1 [0042.322] GetProcessHeap () returned 0x4e0000 [0042.322] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x543228 | out: hHeap=0x4e0000) returned 1 [0042.322] FindNextFileW (in: hFindFile=0x535b60, lpFindFileData=0x2d8ede8 | out: lpFindFileData=0x2d8ede8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd943744, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd943744, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xb66d81ea, ftLastWriteTime.dwHighDateTime=0x1ca042b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5306c8, dwReserved1=0x0, cFileName="MachineKeys", cAlternateFileName="MACHIN~1")) returned 0 [0042.322] FindClose (in: hFindFile=0x535b60 | out: hFindFile=0x535b60) returned 1 [0042.322] wnsprintfW (in: pszDest=0x5306d0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\DSS\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 71 [0042.322] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\DSS\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\microsoft\\crypto\\dss\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x208 [0042.322] WriteFile (in: hFile=0x208, lpBuffer=0x186440*, nNumberOfBytesToWrite=0x2b0, lpNumberOfBytesWritten=0x2d8edb4, lpOverlapped=0x0 | out: lpBuffer=0x186440*, lpNumberOfBytesWritten=0x2d8edb4*=0x2b0, lpOverlapped=0x0) returned 1 [0042.323] CloseHandle (hObject=0x208) returned 1 [0042.323] GetProcessHeap () returned 0x4e0000 [0042.323] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x5306d0 | out: hHeap=0x4e0000) returned 1 [0042.323] FindNextFileW (in: hFindFile=0x535b20, lpFindFileData=0x2d8f070 | out: lpFindFileData=0x2d8f070*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xfd96989e, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd96989e, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xb66d81ea, ftLastWriteTime.dwHighDateTime=0x1ca042b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Keys", cAlternateFileName="")) returned 1 [0042.323] lstrcmpiW (lpString1="Keys", lpString2="Windows") returned -1 [0042.323] lstrcmpiW (lpString1="Keys", lpString2="$Recycle.bin") returned 1 [0042.323] lstrcmpiW (lpString1="Keys", lpString2="System Volume Information") returned -1 [0042.323] lstrcmpiW (lpString1="Keys", lpString2="Program Files") returned -1 [0042.323] lstrcmpiW (lpString1="Keys", lpString2="Program Files (x86)") returned -1 [0042.323] wnsprintfW (in: pszDest=0x542af8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\Keys") returned 40 [0042.323] lstrcmpW (lpString1="Keys", lpString2=".") returned 1 [0042.323] lstrcmpW (lpString1="Keys", lpString2="..") returned 1 [0042.323] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\Keys", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0042.323] GetProcessHeap () returned 0x4e0000 [0042.323] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x400) returned 0x5306d0 [0042.323] wnsprintfW (in: pszDest=0x5306d0, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\Keys\\*") returned 42 [0042.323] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\Keys\\*", lpFindFileData=0x2d8ede8 | out: lpFindFileData=0x2d8ede8*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xfd96989e, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd96989e, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xb66d81ea, ftLastWriteTime.dwHighDateTime=0x1ca042b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5306c8, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x535b60 [0042.444] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0042.445] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0042.446] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0042.448] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0042.448] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0042.448] wnsprintfW (in: pszDest=0x5306d0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\Keys\\.") returned 42 [0042.450] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0042.451] StrStrIW (lpFirst=".", lpSrch=".for") returned 0x0 [0042.452] lstrcmpW (lpString1=".", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned -1 [0042.452] lstrcmpW (lpString1=".", lpString2="taridd") returned -1 [0042.454] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\Keys\\.", lpStr2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\3pRMMVYZl7L6YCH05Qf1aBB2Nvhrv3", nChar=122) returned -1 [0042.455] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\Keys\\." (normalized: "c:\\programdata\\microsoft\\crypto\\keys\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0042.457] FindNextFileW (in: hFindFile=0x535b60, lpFindFileData=0x2d8ede8 | out: lpFindFileData=0x2d8ede8*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xfd96989e, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd96989e, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xb66d81ea, ftLastWriteTime.dwHighDateTime=0x1ca042b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5306c8, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0042.458] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0042.459] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0042.460] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0042.460] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0042.460] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0042.462] wnsprintfW (in: pszDest=0x5306d0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\Keys\\..") returned 43 [0042.464] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0042.464] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0042.465] StrStrIW (lpFirst="..", lpSrch=".for") returned 0x0 [0042.466] lstrcmpW (lpString1="..", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned -1 [0042.466] lstrcmpW (lpString1="..", lpString2="taridd") returned -1 [0042.467] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\Keys\\..", lpStr2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\3pRMMVYZl7L6YCH05Qf1aBB2Nvhrv3", nChar=122) returned -1 [0042.468] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\Keys\\.." (normalized: "c:\\programdata\\microsoft\\crypto"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0042.471] FindNextFileW (in: hFindFile=0x535b60, lpFindFileData=0x2d8ede8 | out: lpFindFileData=0x2d8ede8*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xfd96989e, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd96989e, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xb66d81ea, ftLastWriteTime.dwHighDateTime=0x1ca042b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5306c8, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0 [0042.472] FindClose (in: hFindFile=0x535b60 | out: hFindFile=0x535b60) returned 1 [0042.474] wnsprintfW (in: pszDest=0x5306d0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\Keys\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 72 [0042.475] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\Keys\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\microsoft\\crypto\\keys\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x208 [0042.481] WriteFile (in: hFile=0x208, lpBuffer=0x186440*, nNumberOfBytesToWrite=0x2b0, lpNumberOfBytesWritten=0x2d8edb4, lpOverlapped=0x0 | out: lpBuffer=0x186440*, lpNumberOfBytesWritten=0x2d8edb4*=0x2b0, lpOverlapped=0x0) returned 1 [0042.500] CloseHandle (hObject=0x208) returned 1 [0042.504] GetProcessHeap () returned 0x4e0000 [0042.504] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x5306d0 | out: hHeap=0x4e0000) returned 1 [0042.505] FindNextFileW (in: hFindFile=0x535b20, lpFindFileData=0x2d8f070 | out: lpFindFileData=0x2d8f070*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfd96989e, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfc65d150, ftLastAccessTime.dwHighDateTime=0x1d2dda1, ftLastWriteTime.dwLowDateTime=0xfc65d150, ftLastWriteTime.dwHighDateTime=0x1d2dda1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="RSA", cAlternateFileName="")) returned 1 [0042.506] lstrcmpiW (lpString1="RSA", lpString2="Windows") returned -1 [0042.506] lstrcmpiW (lpString1="RSA", lpString2="$Recycle.bin") returned 1 [0042.507] lstrcmpiW (lpString1="RSA", lpString2="System Volume Information") returned -1 [0042.508] lstrcmpiW (lpString1="RSA", lpString2="Program Files") returned 1 [0042.508] lstrcmpiW (lpString1="RSA", lpString2="Program Files (x86)") returned 1 [0042.510] wnsprintfW (in: pszDest=0x542af8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\RSA") returned 39 [0042.511] lstrcmpW (lpString1="RSA", lpString2=".") returned 1 [0042.511] lstrcmpW (lpString1="RSA", lpString2="..") returned 1 [0042.512] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\RSA", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0042.512] GetProcessHeap () returned 0x4e0000 [0042.512] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x400) returned 0x5306d0 [0042.514] wnsprintfW (in: pszDest=0x5306d0, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\RSA\\*") returned 41 [0042.514] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\RSA\\*", lpFindFileData=0x2d8ede8 | out: lpFindFileData=0x2d8ede8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfd96989e, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfc65d150, ftLastAccessTime.dwHighDateTime=0x1d2dda1, ftLastWriteTime.dwLowDateTime=0xfc65d150, ftLastWriteTime.dwHighDateTime=0x1d2dda1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5306c8, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x535b60 [0042.519] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0042.519] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0042.520] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0042.521] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0042.521] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0042.522] wnsprintfW (in: pszDest=0x5306d0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\RSA\\.") returned 41 [0042.523] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0042.524] FindNextFileW (in: hFindFile=0x535b60, lpFindFileData=0x2d8ede8 | out: lpFindFileData=0x2d8ede8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfd96989e, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfc65d150, ftLastAccessTime.dwHighDateTime=0x1d2dda1, ftLastWriteTime.dwLowDateTime=0xfc65d150, ftLastWriteTime.dwHighDateTime=0x1d2dda1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5306c8, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0042.525] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0042.525] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0042.526] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0042.527] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0042.527] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0042.528] wnsprintfW (in: pszDest=0x5306d0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\RSA\\..") returned 42 [0042.528] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0042.529] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0042.529] FindNextFileW (in: hFindFile=0x535b60, lpFindFileData=0x2d8ede8 | out: lpFindFileData=0x2d8ede8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd96989e, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd96989e, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xb66d81ea, ftLastWriteTime.dwHighDateTime=0x1ca042b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5306c8, dwReserved1=0x0, cFileName="MachineKeys", cAlternateFileName="MACHIN~1")) returned 1 [0042.531] lstrcmpiW (lpString1="MachineKeys", lpString2="Windows") returned -1 [0042.532] lstrcmpiW (lpString1="MachineKeys", lpString2="$Recycle.bin") returned 1 [0042.533] lstrcmpiW (lpString1="MachineKeys", lpString2="System Volume Information") returned -1 [0042.533] lstrcmpiW (lpString1="MachineKeys", lpString2="Program Files") returned -1 [0042.534] lstrcmpiW (lpString1="MachineKeys", lpString2="Program Files (x86)") returned -1 [0042.535] wnsprintfW (in: pszDest=0x5306d0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\RSA\\MachineKeys") returned 51 [0042.535] lstrcmpW (lpString1="MachineKeys", lpString2=".") returned 1 [0042.536] lstrcmpW (lpString1="MachineKeys", lpString2="..") returned 1 [0042.536] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\RSA\\MachineKeys", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0042.537] GetProcessHeap () returned 0x4e0000 [0042.538] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x400) returned 0x543228 [0042.539] wnsprintfW (in: pszDest=0x543228, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\RSA\\MachineKeys\\*") returned 53 [0042.540] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\RSA\\MachineKeys\\*", lpFindFileData=0x2d8eb60 | out: lpFindFileData=0x2d8eb60*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd96989e, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd96989e, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xb66d81ea, ftLastWriteTime.dwHighDateTime=0x1ca042b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x535ba0 [0042.547] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0042.547] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0042.548] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0042.548] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0042.549] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0042.550] wnsprintfW (in: pszDest=0x543228, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\RSA\\MachineKeys\\.") returned 53 [0042.552] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0042.552] FindNextFileW (in: hFindFile=0x535ba0, lpFindFileData=0x2d8eb60 | out: lpFindFileData=0x2d8eb60*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd96989e, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd96989e, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xb66d81ea, ftLastWriteTime.dwHighDateTime=0x1ca042b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0042.554] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0042.555] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0042.555] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0042.555] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0042.556] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0042.557] wnsprintfW (in: pszDest=0x543228, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\RSA\\MachineKeys\\..") returned 54 [0042.557] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0042.558] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0042.559] FindNextFileW (in: hFindFile=0x535ba0, lpFindFileData=0x2d8eb60 | out: lpFindFileData=0x2d8eb60*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd96989e, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd96989e, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xb66d81ea, ftLastWriteTime.dwHighDateTime=0x1ca042b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0 [0042.560] FindClose (in: hFindFile=0x535ba0 | out: hFindFile=0x535ba0) returned 1 [0042.568] wnsprintfW (in: pszDest=0x543228, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\RSA\\MachineKeys\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 83 [0042.568] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\RSA\\MachineKeys\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\microsoft\\crypto\\rsa\\machinekeys\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x204 [0042.575] WriteFile (in: hFile=0x204, lpBuffer=0x186440*, nNumberOfBytesToWrite=0x2b0, lpNumberOfBytesWritten=0x2d8eb2c, lpOverlapped=0x0 | out: lpBuffer=0x186440*, lpNumberOfBytesWritten=0x2d8eb2c*=0x2b0, lpOverlapped=0x0) returned 1 [0042.657] CloseHandle (hObject=0x204) returned 1 [0042.657] GetProcessHeap () returned 0x4e0000 [0042.657] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x543228 | out: hHeap=0x4e0000) returned 1 [0042.657] FindNextFileW (in: hFindFile=0x535b60, lpFindFileData=0x2d8ede8 | out: lpFindFileData=0x2d8ede8*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0xfc65d150, ftCreationTime.dwHighDateTime=0x1d2dda1, ftLastAccessTime.dwLowDateTime=0xe5bc2f0, ftLastAccessTime.dwHighDateTime=0x1d35d06, ftLastWriteTime.dwLowDateTime=0xe5bc2f0, ftLastWriteTime.dwHighDateTime=0x1d35d06, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5306c8, dwReserved1=0x0, cFileName="S-1-5-18", cAlternateFileName="")) returned 1 [0042.657] lstrcmpiW (lpString1="S-1-5-18", lpString2="Windows") returned -1 [0042.657] lstrcmpiW (lpString1="S-1-5-18", lpString2="$Recycle.bin") returned 1 [0042.657] lstrcmpiW (lpString1="S-1-5-18", lpString2="System Volume Information") returned -1 [0042.657] lstrcmpiW (lpString1="S-1-5-18", lpString2="Program Files") returned 1 [0042.657] lstrcmpiW (lpString1="S-1-5-18", lpString2="Program Files (x86)") returned 1 [0042.658] wnsprintfW (in: pszDest=0x5306d0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\RSA\\S-1-5-18") returned 48 [0042.658] lstrcmpW (lpString1="S-1-5-18", lpString2=".") returned 1 [0042.658] lstrcmpW (lpString1="S-1-5-18", lpString2="..") returned 1 [0042.658] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\RSA\\S-1-5-18", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0042.658] GetProcessHeap () returned 0x4e0000 [0042.658] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x400) returned 0x543228 [0042.658] wnsprintfW (in: pszDest=0x543228, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\RSA\\S-1-5-18\\*") returned 50 [0042.658] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\RSA\\S-1-5-18\\*", lpFindFileData=0x2d8eb60 | out: lpFindFileData=0x2d8eb60*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0xfc65d150, ftCreationTime.dwHighDateTime=0x1d2dda1, ftLastAccessTime.dwLowDateTime=0xe5bc2f0, ftLastAccessTime.dwHighDateTime=0x1d35d06, ftLastWriteTime.dwLowDateTime=0xe5bc2f0, ftLastWriteTime.dwHighDateTime=0x1d35d06, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x535ba0 [0042.989] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0042.989] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0042.989] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0042.989] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0042.989] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0042.989] wnsprintfW (in: pszDest=0x543228, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\RSA\\S-1-5-18\\.") returned 50 [0042.989] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0042.989] StrStrIW (lpFirst=".", lpSrch=".for") returned 0x0 [0042.989] lstrcmpW (lpString1=".", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned -1 [0042.989] lstrcmpW (lpString1=".", lpString2="taridd") returned -1 [0042.989] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\RSA\\S-1-5-18\\.", lpStr2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\3pRMMVYZl7L6YCH05Qf1aBB2Nvhrv3", nChar=122) returned -1 [0042.989] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\RSA\\S-1-5-18\\." (normalized: "c:\\programdata\\microsoft\\crypto\\rsa\\s-1-5-18\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0042.989] FindNextFileW (in: hFindFile=0x535ba0, lpFindFileData=0x2d8eb60 | out: lpFindFileData=0x2d8eb60*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0xfc65d150, ftCreationTime.dwHighDateTime=0x1d2dda1, ftLastAccessTime.dwLowDateTime=0xe5bc2f0, ftLastAccessTime.dwHighDateTime=0x1d35d06, ftLastWriteTime.dwLowDateTime=0xe5bc2f0, ftLastWriteTime.dwHighDateTime=0x1d35d06, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0042.989] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0042.989] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0042.989] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0042.989] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0042.989] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0042.990] wnsprintfW (in: pszDest=0x543228, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\RSA\\S-1-5-18\\..") returned 51 [0042.990] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0042.990] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0042.990] StrStrIW (lpFirst="..", lpSrch=".for") returned 0x0 [0042.990] lstrcmpW (lpString1="..", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned -1 [0042.990] lstrcmpW (lpString1="..", lpString2="taridd") returned -1 [0042.990] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\RSA\\S-1-5-18\\..", lpStr2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\3pRMMVYZl7L6YCH05Qf1aBB2Nvhrv3", nChar=122) returned -1 [0042.990] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\RSA\\S-1-5-18\\.." (normalized: "c:\\programdata\\microsoft\\crypto\\rsa"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0042.990] FindNextFileW (in: hFindFile=0x535ba0, lpFindFileData=0x2d8eb60 | out: lpFindFileData=0x2d8eb60*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0xfc767af0, ftCreationTime.dwHighDateTime=0x1d2dda1, ftLastAccessTime.dwLowDateTime=0xfc767af0, ftLastAccessTime.dwHighDateTime=0x1d2dda1, ftLastWriteTime.dwLowDateTime=0xfc767af0, ftLastWriteTime.dwHighDateTime=0x1d2dda1, nFileSizeHigh=0x0, nFileSizeLow=0x2f, dwReserved0=0x0, dwReserved1=0x0, cFileName="6d14e4b1d8ca773bab785d1be032546e_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f", cAlternateFileName="6D14E4~1")) returned 1 [0042.990] lstrcmpiW (lpString1="6d14e4b1d8ca773bab785d1be032546e_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f", lpString2="Windows") returned -1 [0042.990] lstrcmpiW (lpString1="6d14e4b1d8ca773bab785d1be032546e_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f", lpString2="$Recycle.bin") returned 1 [0042.990] lstrcmpiW (lpString1="6d14e4b1d8ca773bab785d1be032546e_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f", lpString2="System Volume Information") returned -1 [0042.990] lstrcmpiW (lpString1="6d14e4b1d8ca773bab785d1be032546e_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f", lpString2="Program Files") returned -1 [0042.990] lstrcmpiW (lpString1="6d14e4b1d8ca773bab785d1be032546e_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f", lpString2="Program Files (x86)") returned -1 [0042.990] wnsprintfW (in: pszDest=0x543228, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\RSA\\S-1-5-18\\6d14e4b1d8ca773bab785d1be032546e_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f") returned 118 [0042.990] StrStrIW (lpFirst="6d14e4b1d8ca773bab785d1be032546e_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f", lpSrch=".for") returned 0x0 [0042.990] lstrcmpW (lpString1="6d14e4b1d8ca773bab785d1be032546e_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0042.990] lstrcmpW (lpString1="6d14e4b1d8ca773bab785d1be032546e_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f", lpString2="taridd") returned -1 [0042.990] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\RSA\\S-1-5-18\\6d14e4b1d8ca773bab785d1be032546e_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f", lpStr2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\3pRMMVYZl7L6YCH05Qf1aBB2Nvhrv3", nChar=122) returned -1 [0042.990] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\RSA\\S-1-5-18\\6d14e4b1d8ca773bab785d1be032546e_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f" (normalized: "c:\\programdata\\microsoft\\crypto\\rsa\\s-1-5-18\\6d14e4b1d8ca773bab785d1be032546e_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x210 [0042.990] GetTickCount () returned 0x114537d [0042.990] GetTickCount () returned 0x114537d [0042.990] GetTickCount () returned 0x114537d [0042.990] GetTickCount () returned 0x114537d [0042.990] CryptEncrypt (in: hKey=0x4ff5a8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d8ea70*, pdwDataLen=0x2d8eb20*=0x2c, dwBufLen=0x80 | out: pbData=0x2d8ea70*, pdwDataLen=0x2d8eb20*=0x80) returned 1 [0042.991] GetProcessHeap () returned 0x4e0000 [0042.991] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x2800) returned 0x5064d8 [0042.991] ReadFile (in: hFile=0x210, lpBuffer=0x5064d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2d8eb24, lpOverlapped=0x0 | out: lpBuffer=0x5064d8*, lpNumberOfBytesRead=0x2d8eb24*=0x2f, lpOverlapped=0x0) returned 1 [0042.991] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0xffffffd1, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0042.991] WriteFile (in: hFile=0x210, lpBuffer=0x5064d8*, nNumberOfBytesToWrite=0x2f, lpNumberOfBytesWritten=0x2d8eb24, lpOverlapped=0x0 | out: lpBuffer=0x5064d8*, lpNumberOfBytesWritten=0x2d8eb24*=0x2f, lpOverlapped=0x0) returned 1 [0042.992] GetProcessHeap () returned 0x4e0000 [0042.992] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x5064d8 | out: hHeap=0x4e0000) returned 1 [0042.992] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0042.992] WriteFile (in: hFile=0x210, lpBuffer=0x4ffe10*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x2d8eb24, lpOverlapped=0x0 | out: lpBuffer=0x4ffe10*, lpNumberOfBytesWritten=0x2d8eb24*=0x300, lpOverlapped=0x0) returned 1 [0042.992] WriteFile (in: hFile=0x210, lpBuffer=0x2d8ea70*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x2d8eb24, lpOverlapped=0x0 | out: lpBuffer=0x2d8ea70*, lpNumberOfBytesWritten=0x2d8eb24*=0x80, lpOverlapped=0x0) returned 1 [0042.992] WriteFile (in: hFile=0x210, lpBuffer=0x186230*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2d8eb24, lpOverlapped=0x0 | out: lpBuffer=0x186230*, lpNumberOfBytesWritten=0x2d8eb24*=0x4, lpOverlapped=0x0) returned 1 [0042.992] CloseHandle (hObject=0x210) returned 1 [0042.992] GetProcessHeap () returned 0x4e0000 [0042.992] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x400) returned 0x543630 [0042.992] wnsprintfW (in: pszDest=0x543630, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\RSA\\S-1-5-18\\6d14e4b1d8ca773bab785d1be032546e_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f_forv_{KNUJ5K}.for") returned 136 [0042.992] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\RSA\\S-1-5-18\\6d14e4b1d8ca773bab785d1be032546e_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f" (normalized: "c:\\programdata\\microsoft\\crypto\\rsa\\s-1-5-18\\6d14e4b1d8ca773bab785d1be032546e_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\RSA\\S-1-5-18\\6d14e4b1d8ca773bab785d1be032546e_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f_forv_{KNUJ5K}.for" (normalized: "c:\\programdata\\microsoft\\crypto\\rsa\\s-1-5-18\\6d14e4b1d8ca773bab785d1be032546e_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f_forv_{knuj5k}.for")) returned 1 [0042.998] GetProcessHeap () returned 0x4e0000 [0042.998] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x543630 | out: hHeap=0x4e0000) returned 1 [0042.998] FindNextFileW (in: hFindFile=0x535ba0, lpFindFileData=0x2d8eb60 | out: lpFindFileData=0x2d8eb60*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0xe5bc2f0, ftCreationTime.dwHighDateTime=0x1d35d06, ftLastAccessTime.dwLowDateTime=0xe5bc2f0, ftLastAccessTime.dwHighDateTime=0x1d35d06, ftLastWriteTime.dwLowDateTime=0xe5bc2f0, ftLastWriteTime.dwHighDateTime=0x1d35d06, nFileSizeHigh=0x0, nFileSizeLow=0x41d, dwReserved0=0x0, dwReserved1=0x0, cFileName="d42cc0c3858a58db2db37658219e6400_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f", cAlternateFileName="D42CC0~1")) returned 1 [0042.998] lstrcmpiW (lpString1="d42cc0c3858a58db2db37658219e6400_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f", lpString2="Windows") returned -1 [0042.998] lstrcmpiW (lpString1="d42cc0c3858a58db2db37658219e6400_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f", lpString2="$Recycle.bin") returned 1 [0042.998] lstrcmpiW (lpString1="d42cc0c3858a58db2db37658219e6400_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f", lpString2="System Volume Information") returned -1 [0042.998] lstrcmpiW (lpString1="d42cc0c3858a58db2db37658219e6400_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f", lpString2="Program Files") returned -1 [0042.998] lstrcmpiW (lpString1="d42cc0c3858a58db2db37658219e6400_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f", lpString2="Program Files (x86)") returned -1 [0042.998] wnsprintfW (in: pszDest=0x543228, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\RSA\\S-1-5-18\\d42cc0c3858a58db2db37658219e6400_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f") returned 118 [0042.998] StrStrIW (lpFirst="d42cc0c3858a58db2db37658219e6400_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f", lpSrch=".for") returned 0x0 [0042.998] lstrcmpW (lpString1="d42cc0c3858a58db2db37658219e6400_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0042.998] lstrcmpW (lpString1="d42cc0c3858a58db2db37658219e6400_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f", lpString2="taridd") returned -1 [0042.998] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\RSA\\S-1-5-18\\d42cc0c3858a58db2db37658219e6400_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f", lpStr2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\3pRMMVYZl7L6YCH05Qf1aBB2Nvhrv3", nChar=122) returned -1 [0042.998] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\RSA\\S-1-5-18\\d42cc0c3858a58db2db37658219e6400_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f" (normalized: "c:\\programdata\\microsoft\\crypto\\rsa\\s-1-5-18\\d42cc0c3858a58db2db37658219e6400_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x210 [0042.998] GetTickCount () returned 0x114538d [0042.998] GetTickCount () returned 0x114538d [0042.998] GetTickCount () returned 0x114538d [0042.998] GetTickCount () returned 0x114538d [0042.999] CryptEncrypt (in: hKey=0x4ff5a8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d8ea70*, pdwDataLen=0x2d8eb20*=0x2c, dwBufLen=0x80 | out: pbData=0x2d8ea70*, pdwDataLen=0x2d8eb20*=0x80) returned 1 [0042.999] GetProcessHeap () returned 0x4e0000 [0042.999] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x2800) returned 0x5064d8 [0042.999] ReadFile (in: hFile=0x210, lpBuffer=0x5064d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2d8eb24, lpOverlapped=0x0 | out: lpBuffer=0x5064d8*, lpNumberOfBytesRead=0x2d8eb24*=0x41d, lpOverlapped=0x0) returned 1 [0043.001] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0xfffffbe3, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0043.001] WriteFile (in: hFile=0x210, lpBuffer=0x5064d8*, nNumberOfBytesToWrite=0x41d, lpNumberOfBytesWritten=0x2d8eb24, lpOverlapped=0x0 | out: lpBuffer=0x5064d8*, lpNumberOfBytesWritten=0x2d8eb24*=0x41d, lpOverlapped=0x0) returned 1 [0043.001] GetProcessHeap () returned 0x4e0000 [0043.001] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x5064d8 | out: hHeap=0x4e0000) returned 1 [0043.001] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0043.001] WriteFile (in: hFile=0x210, lpBuffer=0x4ffe10*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x2d8eb24, lpOverlapped=0x0 | out: lpBuffer=0x4ffe10*, lpNumberOfBytesWritten=0x2d8eb24*=0x300, lpOverlapped=0x0) returned 1 [0043.001] WriteFile (in: hFile=0x210, lpBuffer=0x2d8ea70*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x2d8eb24, lpOverlapped=0x0 | out: lpBuffer=0x2d8ea70*, lpNumberOfBytesWritten=0x2d8eb24*=0x80, lpOverlapped=0x0) returned 1 [0043.001] WriteFile (in: hFile=0x210, lpBuffer=0x186230*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2d8eb24, lpOverlapped=0x0 | out: lpBuffer=0x186230*, lpNumberOfBytesWritten=0x2d8eb24*=0x4, lpOverlapped=0x0) returned 1 [0043.001] CloseHandle (hObject=0x210) returned 1 [0043.002] GetProcessHeap () returned 0x4e0000 [0043.002] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x400) returned 0x543630 [0043.002] wnsprintfW (in: pszDest=0x543630, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\RSA\\S-1-5-18\\d42cc0c3858a58db2db37658219e6400_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f_forv_{KNUJ5K}.for") returned 136 [0043.002] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\RSA\\S-1-5-18\\d42cc0c3858a58db2db37658219e6400_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f" (normalized: "c:\\programdata\\microsoft\\crypto\\rsa\\s-1-5-18\\d42cc0c3858a58db2db37658219e6400_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\RSA\\S-1-5-18\\d42cc0c3858a58db2db37658219e6400_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f_forv_{KNUJ5K}.for" (normalized: "c:\\programdata\\microsoft\\crypto\\rsa\\s-1-5-18\\d42cc0c3858a58db2db37658219e6400_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f_forv_{knuj5k}.for")) returned 1 [0043.002] GetProcessHeap () returned 0x4e0000 [0043.002] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x543630 | out: hHeap=0x4e0000) returned 1 [0043.002] FindNextFileW (in: hFindFile=0x535ba0, lpFindFileData=0x2d8eb60 | out: lpFindFileData=0x2d8eb60*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0xe5bc2f0, ftCreationTime.dwHighDateTime=0x1d35d06, ftLastAccessTime.dwLowDateTime=0xe5bc2f0, ftLastAccessTime.dwHighDateTime=0x1d35d06, ftLastWriteTime.dwLowDateTime=0xe5bc2f0, ftLastWriteTime.dwHighDateTime=0x1d35d06, nFileSizeHigh=0x0, nFileSizeLow=0x41d, dwReserved0=0x0, dwReserved1=0x0, cFileName="d42cc0c3858a58db2db37658219e6400_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f", cAlternateFileName="D42CC0~1")) returned 0 [0043.002] FindClose (in: hFindFile=0x535ba0 | out: hFindFile=0x535ba0) returned 1 [0043.002] wnsprintfW (in: pszDest=0x543228, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\RSA\\S-1-5-18\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 80 [0043.002] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\RSA\\S-1-5-18\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\microsoft\\crypto\\rsa\\s-1-5-18\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x204 [0043.002] WriteFile (in: hFile=0x204, lpBuffer=0x186440*, nNumberOfBytesToWrite=0x2b0, lpNumberOfBytesWritten=0x2d8eb2c, lpOverlapped=0x0 | out: lpBuffer=0x186440*, lpNumberOfBytesWritten=0x2d8eb2c*=0x2b0, lpOverlapped=0x0) returned 1 [0043.003] CloseHandle (hObject=0x204) returned 1 [0043.003] GetProcessHeap () returned 0x4e0000 [0043.003] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x543228 | out: hHeap=0x4e0000) returned 1 [0043.003] FindNextFileW (in: hFindFile=0x535b60, lpFindFileData=0x2d8ede8 | out: lpFindFileData=0x2d8ede8*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0xfc65d150, ftCreationTime.dwHighDateTime=0x1d2dda1, ftLastAccessTime.dwLowDateTime=0xe5bc2f0, ftLastAccessTime.dwHighDateTime=0x1d35d06, ftLastWriteTime.dwLowDateTime=0xe5bc2f0, ftLastWriteTime.dwHighDateTime=0x1d35d06, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5306c8, dwReserved1=0x0, cFileName="S-1-5-18", cAlternateFileName="")) returned 0 [0043.003] FindClose (in: hFindFile=0x535b60 | out: hFindFile=0x535b60) returned 1 [0043.004] wnsprintfW (in: pszDest=0x5306d0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\RSA\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 71 [0043.004] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\RSA\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\microsoft\\crypto\\rsa\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x208 [0043.004] WriteFile (in: hFile=0x208, lpBuffer=0x186440*, nNumberOfBytesToWrite=0x2b0, lpNumberOfBytesWritten=0x2d8edb4, lpOverlapped=0x0 | out: lpBuffer=0x186440*, lpNumberOfBytesWritten=0x2d8edb4*=0x2b0, lpOverlapped=0x0) returned 1 [0043.005] CloseHandle (hObject=0x208) returned 1 [0043.005] GetProcessHeap () returned 0x4e0000 [0043.005] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x5306d0 | out: hHeap=0x4e0000) returned 1 [0043.005] FindNextFileW (in: hFindFile=0x535b20, lpFindFileData=0x2d8f070 | out: lpFindFileData=0x2d8f070*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfd96989e, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfc65d150, ftLastAccessTime.dwHighDateTime=0x1d2dda1, ftLastWriteTime.dwLowDateTime=0xfc65d150, ftLastWriteTime.dwHighDateTime=0x1d2dda1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="RSA", cAlternateFileName="")) returned 0 [0043.005] FindClose (in: hFindFile=0x535b20 | out: hFindFile=0x535b20) returned 1 [0043.005] wnsprintfW (in: pszDest=0x542af8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 67 [0043.005] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\microsoft\\crypto\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x150 [0043.006] WriteFile (in: hFile=0x150, lpBuffer=0x186440*, nNumberOfBytesToWrite=0x2b0, lpNumberOfBytesWritten=0x2d8f03c, lpOverlapped=0x0 | out: lpBuffer=0x186440*, lpNumberOfBytesWritten=0x2d8f03c*=0x2b0, lpOverlapped=0x0) returned 1 [0043.006] CloseHandle (hObject=0x150) returned 1 [0043.007] GetProcessHeap () returned 0x4e0000 [0043.007] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x542af8 | out: hHeap=0x4e0000) returned 1 [0043.007] FindNextFileW (in: hFindFile=0x535ae0, lpFindFileData=0x2d8f2f8 | out: lpFindFileData=0x2d8f2f8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfd96989e, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd96989e, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd96989e, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Device Stage", cAlternateFileName="DEVICE~1")) returned 1 [0043.007] lstrcmpiW (lpString1="Device Stage", lpString2="Windows") returned -1 [0043.007] lstrcmpiW (lpString1="Device Stage", lpString2="$Recycle.bin") returned 1 [0043.007] lstrcmpiW (lpString1="Device Stage", lpString2="System Volume Information") returned -1 [0043.007] lstrcmpiW (lpString1="Device Stage", lpString2="Program Files") returned -1 [0043.007] lstrcmpiW (lpString1="Device Stage", lpString2="Program Files (x86)") returned -1 [0043.007] wnsprintfW (in: pszDest=0x511b40, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage") returned 41 [0043.007] lstrcmpW (lpString1="Device Stage", lpString2=".") returned 1 [0043.007] lstrcmpW (lpString1="Device Stage", lpString2="..") returned 1 [0043.007] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0043.007] GetProcessHeap () returned 0x4e0000 [0043.007] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x400) returned 0x542af8 [0043.007] wnsprintfW (in: pszDest=0x542af8, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\*") returned 43 [0043.007] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\*", lpFindFileData=0x2d8f070 | out: lpFindFileData=0x2d8f070*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfd96989e, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd96989e, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd96989e, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x535b20 [0043.007] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0043.007] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0043.007] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0043.007] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0043.007] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0043.007] wnsprintfW (in: pszDest=0x542af8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\.") returned 43 [0043.007] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0043.007] FindNextFileW (in: hFindFile=0x535b20, lpFindFileData=0x2d8f070 | out: lpFindFileData=0x2d8f070*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfd96989e, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd96989e, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd96989e, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0043.007] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0043.007] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0043.008] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0043.008] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0043.008] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0043.008] wnsprintfW (in: pszDest=0x542af8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\..") returned 44 [0043.008] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0043.008] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0043.008] FindNextFileW (in: hFindFile=0x535b20, lpFindFileData=0x2d8f070 | out: lpFindFileData=0x2d8f070*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfd96989e, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd96989e, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd96989e, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Device", cAlternateFileName="")) returned 1 [0043.008] lstrcmpiW (lpString1="Device", lpString2="Windows") returned -1 [0043.008] lstrcmpiW (lpString1="Device", lpString2="$Recycle.bin") returned 1 [0043.008] lstrcmpiW (lpString1="Device", lpString2="System Volume Information") returned -1 [0043.008] lstrcmpiW (lpString1="Device", lpString2="Program Files") returned -1 [0043.008] lstrcmpiW (lpString1="Device", lpString2="Program Files (x86)") returned -1 [0043.008] wnsprintfW (in: pszDest=0x542af8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device") returned 48 [0043.008] lstrcmpW (lpString1="Device", lpString2=".") returned 1 [0043.008] lstrcmpW (lpString1="Device", lpString2="..") returned 1 [0043.008] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0043.008] GetProcessHeap () returned 0x4e0000 [0043.008] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x400) returned 0x5306d0 [0043.008] wnsprintfW (in: pszDest=0x5306d0, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\*") returned 50 [0043.008] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\*", lpFindFileData=0x2d8ede8 | out: lpFindFileData=0x2d8ede8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfd96989e, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd96989e, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd96989e, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5306c8, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x535b60 [0043.009] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0043.009] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0043.009] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0043.009] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0043.009] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0043.009] wnsprintfW (in: pszDest=0x5306d0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\.") returned 50 [0043.009] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0043.009] FindNextFileW (in: hFindFile=0x535b60, lpFindFileData=0x2d8ede8 | out: lpFindFileData=0x2d8ede8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfd96989e, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd96989e, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd96989e, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5306c8, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0043.009] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0043.009] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0043.009] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0043.009] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0043.010] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0043.010] wnsprintfW (in: pszDest=0x5306d0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\..") returned 51 [0043.010] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0043.010] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0043.010] FindNextFileW (in: hFindFile=0x535b60, lpFindFileData=0x2d8ede8 | out: lpFindFileData=0x2d8ede8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd96989e, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd96989e, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd96989e, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5306c8, dwReserved1=0x0, cFileName="{113527a4-45d4-4b6f-b567-97838f1b04b0}", cAlternateFileName="{11352~1")) returned 1 [0043.010] lstrcmpiW (lpString1="{113527a4-45d4-4b6f-b567-97838f1b04b0}", lpString2="Windows") returned -1 [0043.010] lstrcmpiW (lpString1="{113527a4-45d4-4b6f-b567-97838f1b04b0}", lpString2="$Recycle.bin") returned 1 [0043.010] lstrcmpiW (lpString1="{113527a4-45d4-4b6f-b567-97838f1b04b0}", lpString2="System Volume Information") returned -1 [0043.010] lstrcmpiW (lpString1="{113527a4-45d4-4b6f-b567-97838f1b04b0}", lpString2="Program Files") returned -1 [0043.010] lstrcmpiW (lpString1="{113527a4-45d4-4b6f-b567-97838f1b04b0}", lpString2="Program Files (x86)") returned -1 [0043.010] wnsprintfW (in: pszDest=0x5306d0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}") returned 87 [0043.010] lstrcmpW (lpString1="{113527a4-45d4-4b6f-b567-97838f1b04b0}", lpString2=".") returned 1 [0043.010] lstrcmpW (lpString1="{113527a4-45d4-4b6f-b567-97838f1b04b0}", lpString2="..") returned 1 [0043.010] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0043.010] GetProcessHeap () returned 0x4e0000 [0043.010] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x400) returned 0x543228 [0043.010] wnsprintfW (in: pszDest=0x543228, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\*") returned 89 [0043.010] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\*", lpFindFileData=0x2d8eb60 | out: lpFindFileData=0x2d8eb60*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd96989e, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd96989e, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd96989e, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5064d8, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x535ba0 [0043.011] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0043.011] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0043.011] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0043.011] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0043.012] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0043.012] wnsprintfW (in: pszDest=0x543228, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\.") returned 89 [0043.012] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0043.012] FindNextFileW (in: hFindFile=0x535ba0, lpFindFileData=0x2d8eb60 | out: lpFindFileData=0x2d8eb60*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd96989e, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd96989e, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd96989e, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5064d8, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0043.012] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0043.012] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0043.012] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0043.012] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0043.012] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0043.012] wnsprintfW (in: pszDest=0x543228, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\..") returned 90 [0043.012] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0043.012] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0043.012] FindNextFileW (in: hFindFile=0x535ba0, lpFindFileData=0x2d8eb60 | out: lpFindFileData=0x2d8eb60*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5f07a66f, ftCreationTime.dwHighDateTime=0x1ca040c, ftLastAccessTime.dwLowDateTime=0x5f07a66f, ftLastAccessTime.dwHighDateTime=0x1ca040c, ftLastWriteTime.dwLowDateTime=0xc76b3ce5, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0x1fad1, dwReserved0=0x5064d8, dwReserved1=0x0, cFileName="background.png", cAlternateFileName="")) returned 1 [0043.012] lstrcmpiW (lpString1="background.png", lpString2="Windows") returned -1 [0043.012] lstrcmpiW (lpString1="background.png", lpString2="$Recycle.bin") returned 1 [0043.012] lstrcmpiW (lpString1="background.png", lpString2="System Volume Information") returned -1 [0043.012] lstrcmpiW (lpString1="background.png", lpString2="Program Files") returned -1 [0043.012] lstrcmpiW (lpString1="background.png", lpString2="Program Files (x86)") returned -1 [0043.012] wnsprintfW (in: pszDest=0x543228, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\background.png") returned 102 [0043.012] StrStrIW (lpFirst="background.png", lpSrch=".for") returned 0x0 [0043.012] lstrcmpW (lpString1="background.png", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0043.012] lstrcmpW (lpString1="background.png", lpString2="taridd") returned -1 [0043.012] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\background.png", lpStr2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\3pRMMVYZl7L6YCH05Qf1aBB2Nvhrv3", nChar=122) returned -1 [0043.012] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\background.png" (normalized: "c:\\programdata\\microsoft\\device stage\\device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\background.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0043.012] FindNextFileW (in: hFindFile=0x535ba0, lpFindFileData=0x2d8eb60 | out: lpFindFileData=0x2d8eb60*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc7c5b0d9, ftCreationTime.dwHighDateTime=0x1c9ea0e, ftLastAccessTime.dwLowDateTime=0xc7c5b0d9, ftLastAccessTime.dwHighDateTime=0x1c9ea0e, ftLastWriteTime.dwLowDateTime=0xc7c5b0d9, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0xb61, dwReserved0=0x5064d8, dwReserved1=0x0, cFileName="behavior.xml", cAlternateFileName="")) returned 1 [0043.012] lstrcmpiW (lpString1="behavior.xml", lpString2="Windows") returned -1 [0043.012] lstrcmpiW (lpString1="behavior.xml", lpString2="$Recycle.bin") returned 1 [0043.012] lstrcmpiW (lpString1="behavior.xml", lpString2="System Volume Information") returned -1 [0043.012] lstrcmpiW (lpString1="behavior.xml", lpString2="Program Files") returned -1 [0043.013] lstrcmpiW (lpString1="behavior.xml", lpString2="Program Files (x86)") returned -1 [0043.013] wnsprintfW (in: pszDest=0x543228, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\behavior.xml") returned 100 [0043.013] StrStrIW (lpFirst="behavior.xml", lpSrch=".for") returned 0x0 [0043.013] lstrcmpW (lpString1="behavior.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0043.013] lstrcmpW (lpString1="behavior.xml", lpString2="taridd") returned -1 [0043.013] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\behavior.xml", lpStr2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\3pRMMVYZl7L6YCH05Qf1aBB2Nvhrv3", nChar=122) returned -1 [0043.013] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\behavior.xml" (normalized: "c:\\programdata\\microsoft\\device stage\\device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\behavior.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0043.013] FindNextFileW (in: hFindFile=0x535ba0, lpFindFileData=0x2d8eb60 | out: lpFindFileData=0x2d8eb60*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5f07a66f, ftCreationTime.dwHighDateTime=0x1ca040c, ftLastAccessTime.dwLowDateTime=0x5f07a66f, ftLastAccessTime.dwHighDateTime=0x1ca040c, ftLastWriteTime.dwLowDateTime=0xc76b3ce5, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0xadc8, dwReserved0=0x5064d8, dwReserved1=0x0, cFileName="device.png", cAlternateFileName="")) returned 1 [0043.013] lstrcmpiW (lpString1="device.png", lpString2="Windows") returned -1 [0043.013] lstrcmpiW (lpString1="device.png", lpString2="$Recycle.bin") returned 1 [0043.013] lstrcmpiW (lpString1="device.png", lpString2="System Volume Information") returned -1 [0043.014] lstrcmpiW (lpString1="device.png", lpString2="Program Files") returned -1 [0043.014] lstrcmpiW (lpString1="device.png", lpString2="Program Files (x86)") returned -1 [0043.014] wnsprintfW (in: pszDest=0x543228, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\device.png") returned 98 [0043.014] StrStrIW (lpFirst="device.png", lpSrch=".for") returned 0x0 [0043.014] lstrcmpW (lpString1="device.png", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0043.014] lstrcmpW (lpString1="device.png", lpString2="taridd") returned -1 [0043.014] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\device.png", lpStr2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\3pRMMVYZl7L6YCH05Qf1aBB2Nvhrv3", nChar=122) returned -1 [0043.014] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\device.png" (normalized: "c:\\programdata\\microsoft\\device stage\\device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\device.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0043.014] FindNextFileW (in: hFindFile=0x535ba0, lpFindFileData=0x2d8eb60 | out: lpFindFileData=0x2d8eb60*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5f0a07cc, ftCreationTime.dwHighDateTime=0x1ca040c, ftLastAccessTime.dwLowDateTime=0x5f0a07cc, ftLastAccessTime.dwHighDateTime=0x1ca040c, ftLastWriteTime.dwLowDateTime=0xc76d9e43, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0x70c1, dwReserved0=0x5064d8, dwReserved1=0x0, cFileName="overlay.png", cAlternateFileName="")) returned 1 [0043.014] lstrcmpiW (lpString1="overlay.png", lpString2="Windows") returned -1 [0043.014] lstrcmpiW (lpString1="overlay.png", lpString2="$Recycle.bin") returned 1 [0043.014] lstrcmpiW (lpString1="overlay.png", lpString2="System Volume Information") returned -1 [0043.014] lstrcmpiW (lpString1="overlay.png", lpString2="Program Files") returned -1 [0043.014] lstrcmpiW (lpString1="overlay.png", lpString2="Program Files (x86)") returned -1 [0043.014] wnsprintfW (in: pszDest=0x543228, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\overlay.png") returned 99 [0043.014] StrStrIW (lpFirst="overlay.png", lpSrch=".for") returned 0x0 [0043.014] lstrcmpW (lpString1="overlay.png", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0043.014] lstrcmpW (lpString1="overlay.png", lpString2="taridd") returned -1 [0043.014] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\overlay.png", lpStr2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\3pRMMVYZl7L6YCH05Qf1aBB2Nvhrv3", nChar=122) returned -1 [0043.014] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\overlay.png" (normalized: "c:\\programdata\\microsoft\\device stage\\device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\overlay.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0043.014] FindNextFileW (in: hFindFile=0x535ba0, lpFindFileData=0x2d8eb60 | out: lpFindFileData=0x2d8eb60*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5f0c6929, ftCreationTime.dwHighDateTime=0x1ca040c, ftLastAccessTime.dwLowDateTime=0x5f0c6929, ftLastAccessTime.dwHighDateTime=0x1ca040c, ftLastWriteTime.dwLowDateTime=0xc76d9e43, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0x99d3, dwReserved0=0x5064d8, dwReserved1=0x0, cFileName="superbar.png", cAlternateFileName="")) returned 1 [0043.014] lstrcmpiW (lpString1="superbar.png", lpString2="Windows") returned -1 [0043.014] lstrcmpiW (lpString1="superbar.png", lpString2="$Recycle.bin") returned 1 [0043.014] lstrcmpiW (lpString1="superbar.png", lpString2="System Volume Information") returned -1 [0043.014] lstrcmpiW (lpString1="superbar.png", lpString2="Program Files") returned 1 [0043.014] lstrcmpiW (lpString1="superbar.png", lpString2="Program Files (x86)") returned 1 [0043.014] wnsprintfW (in: pszDest=0x543228, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\superbar.png") returned 100 [0043.014] StrStrIW (lpFirst="superbar.png", lpSrch=".for") returned 0x0 [0043.014] lstrcmpW (lpString1="superbar.png", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0043.015] lstrcmpW (lpString1="superbar.png", lpString2="taridd") returned -1 [0043.015] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\superbar.png", lpStr2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\3pRMMVYZl7L6YCH05Qf1aBB2Nvhrv3", nChar=122) returned -1 [0043.015] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\superbar.png" (normalized: "c:\\programdata\\microsoft\\device stage\\device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\superbar.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0043.015] FindNextFileW (in: hFindFile=0x535ba0, lpFindFileData=0x2d8eb60 | out: lpFindFileData=0x2d8eb60*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5f0c6929, ftCreationTime.dwHighDateTime=0x1ca040c, ftLastAccessTime.dwLowDateTime=0x5f0c6929, ftLastAccessTime.dwHighDateTime=0x1ca040c, ftLastWriteTime.dwLowDateTime=0xc76d9e43, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0x99d3, dwReserved0=0x5064d8, dwReserved1=0x0, cFileName="superbar.png", cAlternateFileName="")) returned 0 [0043.015] FindClose (in: hFindFile=0x535ba0 | out: hFindFile=0x535ba0) returned 1 [0043.016] wnsprintfW (in: pszDest=0x543228, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 119 [0043.016] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\microsoft\\device stage\\device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x204 [0043.017] WriteFile (in: hFile=0x204, lpBuffer=0x186440*, nNumberOfBytesToWrite=0x2b0, lpNumberOfBytesWritten=0x2d8eb2c, lpOverlapped=0x0 | out: lpBuffer=0x186440*, lpNumberOfBytesWritten=0x2d8eb2c*=0x2b0, lpOverlapped=0x0) returned 1 [0043.018] CloseHandle (hObject=0x204) returned 1 [0043.018] GetProcessHeap () returned 0x4e0000 [0043.018] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x543228 | out: hHeap=0x4e0000) returned 1 [0043.018] FindNextFileW (in: hFindFile=0x535b60, lpFindFileData=0x2d8ede8 | out: lpFindFileData=0x2d8ede8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd96989e, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd96989e, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd96989e, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5306c8, dwReserved1=0x0, cFileName="{8702d817-5aad-4674-9ef3-4d3decd87120}", cAlternateFileName="{8702D~1")) returned 1 [0043.018] lstrcmpiW (lpString1="{8702d817-5aad-4674-9ef3-4d3decd87120}", lpString2="Windows") returned -1 [0043.019] lstrcmpiW (lpString1="{8702d817-5aad-4674-9ef3-4d3decd87120}", lpString2="$Recycle.bin") returned 1 [0043.019] lstrcmpiW (lpString1="{8702d817-5aad-4674-9ef3-4d3decd87120}", lpString2="System Volume Information") returned -1 [0043.019] lstrcmpiW (lpString1="{8702d817-5aad-4674-9ef3-4d3decd87120}", lpString2="Program Files") returned -1 [0043.019] lstrcmpiW (lpString1="{8702d817-5aad-4674-9ef3-4d3decd87120}", lpString2="Program Files (x86)") returned -1 [0043.019] wnsprintfW (in: pszDest=0x5306d0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}") returned 87 [0043.019] lstrcmpW (lpString1="{8702d817-5aad-4674-9ef3-4d3decd87120}", lpString2=".") returned 1 [0043.019] lstrcmpW (lpString1="{8702d817-5aad-4674-9ef3-4d3decd87120}", lpString2="..") returned 1 [0043.019] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0043.019] GetProcessHeap () returned 0x4e0000 [0043.019] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x400) returned 0x543228 [0043.019] wnsprintfW (in: pszDest=0x543228, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\*") returned 89 [0043.019] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\*", lpFindFileData=0x2d8eb60 | out: lpFindFileData=0x2d8eb60*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd96989e, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd96989e, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd96989e, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5064d8, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x535ba0 [0043.019] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0043.019] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0043.019] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0043.019] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0043.019] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0043.019] wnsprintfW (in: pszDest=0x543228, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\.") returned 89 [0043.019] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0043.019] FindNextFileW (in: hFindFile=0x535ba0, lpFindFileData=0x2d8eb60 | out: lpFindFileData=0x2d8eb60*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd96989e, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd96989e, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd96989e, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5064d8, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0043.019] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0043.019] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0043.019] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0043.019] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0043.019] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0043.019] wnsprintfW (in: pszDest=0x543228, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\..") returned 90 [0043.019] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0043.019] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0043.020] FindNextFileW (in: hFindFile=0x535ba0, lpFindFileData=0x2d8eb60 | out: lpFindFileData=0x2d8eb60*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9c0af2f7, ftCreationTime.dwHighDateTime=0x1c9ea0e, ftLastAccessTime.dwLowDateTime=0x9c0af2f7, ftLastAccessTime.dwHighDateTime=0x1c9ea0e, ftLastWriteTime.dwLowDateTime=0x9c0af2f7, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0x1fad1, dwReserved0=0x5064d8, dwReserved1=0x0, cFileName="background.png", cAlternateFileName="")) returned 1 [0043.020] lstrcmpiW (lpString1="background.png", lpString2="Windows") returned -1 [0043.020] lstrcmpiW (lpString1="background.png", lpString2="$Recycle.bin") returned 1 [0043.020] lstrcmpiW (lpString1="background.png", lpString2="System Volume Information") returned -1 [0043.020] lstrcmpiW (lpString1="background.png", lpString2="Program Files") returned -1 [0043.020] lstrcmpiW (lpString1="background.png", lpString2="Program Files (x86)") returned -1 [0043.020] wnsprintfW (in: pszDest=0x543228, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\background.png") returned 102 [0043.020] StrStrIW (lpFirst="background.png", lpSrch=".for") returned 0x0 [0043.020] lstrcmpW (lpString1="background.png", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0043.020] lstrcmpW (lpString1="background.png", lpString2="taridd") returned -1 [0043.020] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\background.png", lpStr2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\3pRMMVYZl7L6YCH05Qf1aBB2Nvhrv3", nChar=122) returned -1 [0043.020] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\background.png" (normalized: "c:\\programdata\\microsoft\\device stage\\device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\background.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0043.020] FindNextFileW (in: hFindFile=0x535ba0, lpFindFileData=0x2d8eb60 | out: lpFindFileData=0x2d8eb60*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd2feb941, ftCreationTime.dwHighDateTime=0x1ca0407, ftLastAccessTime.dwLowDateTime=0xd2feb941, ftLastAccessTime.dwHighDateTime=0x1ca0407, ftLastWriteTime.dwLowDateTime=0x9c0d5455, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0x769, dwReserved0=0x5064d8, dwReserved1=0x0, cFileName="behavior.xml", cAlternateFileName="")) returned 1 [0043.020] lstrcmpiW (lpString1="behavior.xml", lpString2="Windows") returned -1 [0043.020] lstrcmpiW (lpString1="behavior.xml", lpString2="$Recycle.bin") returned 1 [0043.020] lstrcmpiW (lpString1="behavior.xml", lpString2="System Volume Information") returned -1 [0043.020] lstrcmpiW (lpString1="behavior.xml", lpString2="Program Files") returned -1 [0043.020] lstrcmpiW (lpString1="behavior.xml", lpString2="Program Files (x86)") returned -1 [0043.020] wnsprintfW (in: pszDest=0x543228, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\behavior.xml") returned 100 [0043.020] StrStrIW (lpFirst="behavior.xml", lpSrch=".for") returned 0x0 [0043.020] lstrcmpW (lpString1="behavior.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0043.020] lstrcmpW (lpString1="behavior.xml", lpString2="taridd") returned -1 [0043.020] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\behavior.xml", lpStr2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\3pRMMVYZl7L6YCH05Qf1aBB2Nvhrv3", nChar=122) returned -1 [0043.020] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\behavior.xml" (normalized: "c:\\programdata\\microsoft\\device stage\\device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\behavior.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0043.020] FindNextFileW (in: hFindFile=0x535ba0, lpFindFileData=0x2d8eb60 | out: lpFindFileData=0x2d8eb60*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd3011a9e, ftCreationTime.dwHighDateTime=0x1ca0407, ftLastAccessTime.dwLowDateTime=0xd3011a9e, ftLastAccessTime.dwHighDateTime=0x1ca0407, ftLastWriteTime.dwLowDateTime=0x9c0d5455, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0x70c1, dwReserved0=0x5064d8, dwReserved1=0x0, cFileName="watermark.png", cAlternateFileName="")) returned 1 [0043.020] lstrcmpiW (lpString1="watermark.png", lpString2="Windows") returned -1 [0043.020] lstrcmpiW (lpString1="watermark.png", lpString2="$Recycle.bin") returned 1 [0043.020] lstrcmpiW (lpString1="watermark.png", lpString2="System Volume Information") returned 1 [0043.021] lstrcmpiW (lpString1="watermark.png", lpString2="Program Files") returned 1 [0043.021] lstrcmpiW (lpString1="watermark.png", lpString2="Program Files (x86)") returned 1 [0043.021] wnsprintfW (in: pszDest=0x543228, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\watermark.png") returned 101 [0043.021] StrStrIW (lpFirst="watermark.png", lpSrch=".for") returned 0x0 [0043.021] lstrcmpW (lpString1="watermark.png", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0043.021] lstrcmpW (lpString1="watermark.png", lpString2="taridd") returned 1 [0043.021] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\watermark.png", lpStr2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\3pRMMVYZl7L6YCH05Qf1aBB2Nvhrv3", nChar=122) returned -1 [0043.021] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\watermark.png" (normalized: "c:\\programdata\\microsoft\\device stage\\device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\watermark.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0043.021] FindNextFileW (in: hFindFile=0x535ba0, lpFindFileData=0x2d8eb60 | out: lpFindFileData=0x2d8eb60*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd3011a9e, ftCreationTime.dwHighDateTime=0x1ca0407, ftLastAccessTime.dwLowDateTime=0xd3011a9e, ftLastAccessTime.dwHighDateTime=0x1ca0407, ftLastWriteTime.dwLowDateTime=0x9c0d5455, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0x70c1, dwReserved0=0x5064d8, dwReserved1=0x0, cFileName="watermark.png", cAlternateFileName="")) returned 0 [0043.021] FindClose (in: hFindFile=0x535ba0 | out: hFindFile=0x535ba0) returned 1 [0043.021] wnsprintfW (in: pszDest=0x543228, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 119 [0043.021] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\microsoft\\device stage\\device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x204 [0043.023] WriteFile (in: hFile=0x204, lpBuffer=0x186440*, nNumberOfBytesToWrite=0x2b0, lpNumberOfBytesWritten=0x2d8eb2c, lpOverlapped=0x0 | out: lpBuffer=0x186440*, lpNumberOfBytesWritten=0x2d8eb2c*=0x2b0, lpOverlapped=0x0) returned 1 [0043.024] CloseHandle (hObject=0x204) returned 1 [0043.024] GetProcessHeap () returned 0x4e0000 [0043.024] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x543228 | out: hHeap=0x4e0000) returned 1 [0043.024] FindNextFileW (in: hFindFile=0x535b60, lpFindFileData=0x2d8ede8 | out: lpFindFileData=0x2d8ede8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd96989e, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd96989e, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd96989e, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5306c8, dwReserved1=0x0, cFileName="{8702d817-5aad-4674-9ef3-4d3decd87120}", cAlternateFileName="{8702D~1")) returned 0 [0043.024] FindClose (in: hFindFile=0x535b60 | out: hFindFile=0x535b60) returned 1 [0043.024] wnsprintfW (in: pszDest=0x5306d0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 80 [0043.024] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\microsoft\\device stage\\device\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x208 [0043.026] WriteFile (in: hFile=0x208, lpBuffer=0x186440*, nNumberOfBytesToWrite=0x2b0, lpNumberOfBytesWritten=0x2d8edb4, lpOverlapped=0x0 | out: lpBuffer=0x186440*, lpNumberOfBytesWritten=0x2d8edb4*=0x2b0, lpOverlapped=0x0) returned 1 [0043.027] CloseHandle (hObject=0x208) returned 1 [0043.027] GetProcessHeap () returned 0x4e0000 [0043.027] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x5306d0 | out: hHeap=0x4e0000) returned 1 [0043.027] FindNextFileW (in: hFindFile=0x535b20, lpFindFileData=0x2d8f070 | out: lpFindFileData=0x2d8f070*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfd96989e, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd98f9f8, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd98f9f8, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Task", cAlternateFileName="")) returned 1 [0043.027] lstrcmpiW (lpString1="Task", lpString2="Windows") returned -1 [0043.027] lstrcmpiW (lpString1="Task", lpString2="$Recycle.bin") returned 1 [0043.027] lstrcmpiW (lpString1="Task", lpString2="System Volume Information") returned 1 [0043.027] lstrcmpiW (lpString1="Task", lpString2="Program Files") returned 1 [0043.027] lstrcmpiW (lpString1="Task", lpString2="Program Files (x86)") returned 1 [0043.027] wnsprintfW (in: pszDest=0x542af8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task") returned 46 [0043.027] lstrcmpW (lpString1="Task", lpString2=".") returned 1 [0043.027] lstrcmpW (lpString1="Task", lpString2="..") returned 1 [0043.027] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0043.027] GetProcessHeap () returned 0x4e0000 [0043.027] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x400) returned 0x5306d0 [0043.027] wnsprintfW (in: pszDest=0x5306d0, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\*") returned 48 [0043.027] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\*", lpFindFileData=0x2d8ede8 | out: lpFindFileData=0x2d8ede8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfd96989e, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd98f9f8, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd98f9f8, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5306c8, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x535b60 [0043.027] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0043.027] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0043.027] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0043.027] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0043.028] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0043.028] wnsprintfW (in: pszDest=0x5306d0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\.") returned 48 [0043.028] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0043.028] FindNextFileW (in: hFindFile=0x535b60, lpFindFileData=0x2d8ede8 | out: lpFindFileData=0x2d8ede8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfd96989e, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd98f9f8, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd98f9f8, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5306c8, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0043.028] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0043.028] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0043.028] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0043.028] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0043.028] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0043.028] wnsprintfW (in: pszDest=0x5306d0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\..") returned 49 [0043.028] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0043.028] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0043.028] FindNextFileW (in: hFindFile=0x535b60, lpFindFileData=0x2d8ede8 | out: lpFindFileData=0x2d8ede8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd96989e, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x1d91b669, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1d91b669, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5306c8, dwReserved1=0x0, cFileName="{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}", cAlternateFileName="{07DEB~1")) returned 1 [0043.028] lstrcmpiW (lpString1="{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}", lpString2="Windows") returned -1 [0043.028] lstrcmpiW (lpString1="{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}", lpString2="$Recycle.bin") returned 1 [0043.028] lstrcmpiW (lpString1="{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}", lpString2="System Volume Information") returned -1 [0043.028] lstrcmpiW (lpString1="{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}", lpString2="Program Files") returned -1 [0043.028] lstrcmpiW (lpString1="{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}", lpString2="Program Files (x86)") returned -1 [0043.028] wnsprintfW (in: pszDest=0x5306d0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}") returned 85 [0043.028] lstrcmpW (lpString1="{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}", lpString2=".") returned 1 [0043.028] lstrcmpW (lpString1="{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}", lpString2="..") returned 1 [0043.028] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0043.028] GetProcessHeap () returned 0x4e0000 [0043.028] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x400) returned 0x543228 [0043.028] wnsprintfW (in: pszDest=0x543228, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\*") returned 87 [0043.028] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\*", lpFindFileData=0x2d8eb60 | out: lpFindFileData=0x2d8eb60*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd96989e, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x1d91b669, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1d91b669, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5064d8, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x535ba0 [0043.033] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0043.033] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0043.033] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0043.033] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0043.033] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0043.033] wnsprintfW (in: pszDest=0x543228, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\.") returned 87 [0043.033] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0043.033] FindNextFileW (in: hFindFile=0x535ba0, lpFindFileData=0x2d8eb60 | out: lpFindFileData=0x2d8eb60*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd96989e, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x1d91b669, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1d91b669, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5064d8, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0043.033] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0043.033] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0043.033] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0043.033] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0043.033] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0043.033] wnsprintfW (in: pszDest=0x543228, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\..") returned 88 [0043.033] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0043.033] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0043.033] FindNextFileW (in: hFindFile=0x535ba0, lpFindFileData=0x2d8eb60 | out: lpFindFileData=0x2d8eb60*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d91b669, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x22f23962, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1d91b669, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5064d8, dwReserved1=0x0, cFileName="en-US", cAlternateFileName="")) returned 1 [0043.033] lstrcmpiW (lpString1="en-US", lpString2="Windows") returned -1 [0043.033] lstrcmpiW (lpString1="en-US", lpString2="$Recycle.bin") returned 1 [0043.033] lstrcmpiW (lpString1="en-US", lpString2="System Volume Information") returned -1 [0043.033] lstrcmpiW (lpString1="en-US", lpString2="Program Files") returned -1 [0043.033] lstrcmpiW (lpString1="en-US", lpString2="Program Files (x86)") returned -1 [0043.033] wnsprintfW (in: pszDest=0x543228, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\en-US") returned 91 [0043.033] lstrcmpW (lpString1="en-US", lpString2=".") returned 1 [0043.034] lstrcmpW (lpString1="en-US", lpString2="..") returned 1 [0043.034] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\en-US", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0043.034] GetProcessHeap () returned 0x4e0000 [0043.034] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x400) returned 0x543630 [0043.034] wnsprintfW (in: pszDest=0x543630, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\en-US\\*") returned 93 [0043.034] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\en-US\\*", lpFindFileData=0x2d8e8d8 | out: lpFindFileData=0x2d8e8d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d91b669, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x22f23962, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1d91b669, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5064d8, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x535be0 [0043.034] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0043.034] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0043.034] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0043.034] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0043.034] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0043.034] wnsprintfW (in: pszDest=0x543630, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\en-US\\.") returned 93 [0043.034] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0043.034] FindNextFileW (in: hFindFile=0x535be0, lpFindFileData=0x2d8e8d8 | out: lpFindFileData=0x2d8e8d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d91b669, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x22f23962, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1d91b669, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5064d8, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0043.034] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0043.034] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0043.034] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0043.034] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0043.034] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0043.034] wnsprintfW (in: pszDest=0x543630, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\en-US\\..") returned 94 [0043.034] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0043.034] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0043.034] FindNextFileW (in: hFindFile=0x535be0, lpFindFileData=0x2d8e8d8 | out: lpFindFileData=0x2d8e8d8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x932b6af, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x95b44f8, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x932b6af, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x536, dwReserved0=0x5064d8, dwReserved1=0x0, cFileName="resource.xml", cAlternateFileName="")) returned 1 [0043.034] lstrcmpiW (lpString1="resource.xml", lpString2="Windows") returned -1 [0043.034] lstrcmpiW (lpString1="resource.xml", lpString2="$Recycle.bin") returned 1 [0043.034] lstrcmpiW (lpString1="resource.xml", lpString2="System Volume Information") returned -1 [0043.034] lstrcmpiW (lpString1="resource.xml", lpString2="Program Files") returned 1 [0043.035] lstrcmpiW (lpString1="resource.xml", lpString2="Program Files (x86)") returned 1 [0043.035] wnsprintfW (in: pszDest=0x543630, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\en-US\\resource.xml") returned 104 [0043.035] StrStrIW (lpFirst="resource.xml", lpSrch=".for") returned 0x0 [0043.035] lstrcmpW (lpString1="resource.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0043.035] lstrcmpW (lpString1="resource.xml", lpString2="taridd") returned -1 [0043.035] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\en-US\\resource.xml", lpStr2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\3pRMMVYZl7L6YCH05Qf1aBB2Nvhrv3", nChar=122) returned -1 [0043.035] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\en-US\\resource.xml" (normalized: "c:\\programdata\\microsoft\\device stage\\task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\en-us\\resource.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0043.038] FindNextFileW (in: hFindFile=0x535be0, lpFindFileData=0x2d8e8d8 | out: lpFindFileData=0x2d8e8d8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x932b6af, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x95b44f8, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x932b6af, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x536, dwReserved0=0x5064d8, dwReserved1=0x0, cFileName="resource.xml", cAlternateFileName="")) returned 0 [0043.038] FindClose (in: hFindFile=0x535be0 | out: hFindFile=0x535be0) returned 1 [0043.039] wnsprintfW (in: pszDest=0x543630, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\en-US\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 123 [0043.039] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\en-US\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\microsoft\\device stage\\task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\en-us\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x210 [0043.039] WriteFile (in: hFile=0x210, lpBuffer=0x186440*, nNumberOfBytesToWrite=0x2b0, lpNumberOfBytesWritten=0x2d8e8a4, lpOverlapped=0x0 | out: lpBuffer=0x186440*, lpNumberOfBytesWritten=0x2d8e8a4*=0x2b0, lpOverlapped=0x0) returned 1 [0043.040] CloseHandle (hObject=0x210) returned 1 [0043.040] GetProcessHeap () returned 0x4e0000 [0043.040] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x543630 | out: hHeap=0x4e0000) returned 1 [0043.040] FindNextFileW (in: hFindFile=0x535ba0, lpFindFileData=0x2d8eb60 | out: lpFindFileData=0x2d8eb60*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd2c7f9e6, ftCreationTime.dwHighDateTime=0x1ca0407, ftLastAccessTime.dwLowDateTime=0xd2c7f9e6, ftLastAccessTime.dwHighDateTime=0x1ca0407, ftLastWriteTime.dwLowDateTime=0x7c0e93d7, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0xd0a3, dwReserved0=0x5064d8, dwReserved1=0x0, cFileName="folder.ico", cAlternateFileName="")) returned 1 [0043.040] lstrcmpiW (lpString1="folder.ico", lpString2="Windows") returned -1 [0043.040] lstrcmpiW (lpString1="folder.ico", lpString2="$Recycle.bin") returned 1 [0043.040] lstrcmpiW (lpString1="folder.ico", lpString2="System Volume Information") returned -1 [0043.040] lstrcmpiW (lpString1="folder.ico", lpString2="Program Files") returned -1 [0043.040] lstrcmpiW (lpString1="folder.ico", lpString2="Program Files (x86)") returned -1 [0043.040] wnsprintfW (in: pszDest=0x543228, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\folder.ico") returned 96 [0043.041] StrStrIW (lpFirst="folder.ico", lpSrch=".for") returned 0x0 [0043.041] lstrcmpW (lpString1="folder.ico", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0043.041] lstrcmpW (lpString1="folder.ico", lpString2="taridd") returned -1 [0043.041] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\folder.ico", lpStr2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\3pRMMVYZl7L6YCH05Qf1aBB2Nvhrv3", nChar=122) returned -1 [0043.041] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\folder.ico" (normalized: "c:\\programdata\\microsoft\\device stage\\task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\folder.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0043.041] FindNextFileW (in: hFindFile=0x535ba0, lpFindFileData=0x2d8eb60 | out: lpFindFileData=0x2d8eb60*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd2db04ce, ftCreationTime.dwHighDateTime=0x1ca0407, ftLastAccessTime.dwLowDateTime=0xd2db04ce, ftLastAccessTime.dwHighDateTime=0x1ca0407, ftLastWriteTime.dwLowDateTime=0x7c0e93d7, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0x72ee, dwReserved0=0x5064d8, dwReserved1=0x0, cFileName="netfol.ico", cAlternateFileName="")) returned 1 [0043.041] lstrcmpiW (lpString1="netfol.ico", lpString2="Windows") returned -1 [0043.041] lstrcmpiW (lpString1="netfol.ico", lpString2="$Recycle.bin") returned 1 [0043.041] lstrcmpiW (lpString1="netfol.ico", lpString2="System Volume Information") returned -1 [0043.041] lstrcmpiW (lpString1="netfol.ico", lpString2="Program Files") returned -1 [0043.041] lstrcmpiW (lpString1="netfol.ico", lpString2="Program Files (x86)") returned -1 [0043.041] wnsprintfW (in: pszDest=0x543228, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\netfol.ico") returned 96 [0043.041] StrStrIW (lpFirst="netfol.ico", lpSrch=".for") returned 0x0 [0043.041] lstrcmpW (lpString1="netfol.ico", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0043.041] lstrcmpW (lpString1="netfol.ico", lpString2="taridd") returned -1 [0043.041] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\netfol.ico", lpStr2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\3pRMMVYZl7L6YCH05Qf1aBB2Nvhrv3", nChar=122) returned -1 [0043.041] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\netfol.ico" (normalized: "c:\\programdata\\microsoft\\device stage\\task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\netfol.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0043.041] FindNextFileW (in: hFindFile=0x535ba0, lpFindFileData=0x2d8eb60 | out: lpFindFileData=0x2d8eb60*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd2ca5b43, ftCreationTime.dwHighDateTime=0x1ca0407, ftLastAccessTime.dwLowDateTime=0xd2ca5b43, ftLastAccessTime.dwHighDateTime=0x1ca0407, ftLastWriteTime.dwLowDateTime=0x7c10f535, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0x14668, dwReserved0=0x5064d8, dwReserved1=0x0, cFileName="pictures.ico", cAlternateFileName="")) returned 1 [0043.041] lstrcmpiW (lpString1="pictures.ico", lpString2="Windows") returned -1 [0043.041] lstrcmpiW (lpString1="pictures.ico", lpString2="$Recycle.bin") returned 1 [0043.041] lstrcmpiW (lpString1="pictures.ico", lpString2="System Volume Information") returned -1 [0043.041] lstrcmpiW (lpString1="pictures.ico", lpString2="Program Files") returned -1 [0043.041] lstrcmpiW (lpString1="pictures.ico", lpString2="Program Files (x86)") returned -1 [0043.041] wnsprintfW (in: pszDest=0x543228, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\pictures.ico") returned 98 [0043.041] StrStrIW (lpFirst="pictures.ico", lpSrch=".for") returned 0x0 [0043.041] lstrcmpW (lpString1="pictures.ico", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0043.041] lstrcmpW (lpString1="pictures.ico", lpString2="taridd") returned -1 [0043.041] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\pictures.ico", lpStr2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\3pRMMVYZl7L6YCH05Qf1aBB2Nvhrv3", nChar=122) returned -1 [0043.041] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\pictures.ico" (normalized: "c:\\programdata\\microsoft\\device stage\\task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\pictures.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0043.042] FindNextFileW (in: hFindFile=0x535ba0, lpFindFileData=0x2d8eb60 | out: lpFindFileData=0x2d8eb60*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd2c59889, ftCreationTime.dwHighDateTime=0x1ca0407, ftLastAccessTime.dwLowDateTime=0xd2c59889, ftLastAccessTime.dwHighDateTime=0x1ca0407, ftLastWriteTime.dwLowDateTime=0x7c1cdc0b, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0x536, dwReserved0=0x5064d8, dwReserved1=0x0, cFileName="resource.xml", cAlternateFileName="")) returned 1 [0043.042] lstrcmpiW (lpString1="resource.xml", lpString2="Windows") returned -1 [0043.042] lstrcmpiW (lpString1="resource.xml", lpString2="$Recycle.bin") returned 1 [0043.042] lstrcmpiW (lpString1="resource.xml", lpString2="System Volume Information") returned -1 [0043.042] lstrcmpiW (lpString1="resource.xml", lpString2="Program Files") returned 1 [0043.042] lstrcmpiW (lpString1="resource.xml", lpString2="Program Files (x86)") returned 1 [0043.042] wnsprintfW (in: pszDest=0x543228, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\resource.xml") returned 98 [0043.042] StrStrIW (lpFirst="resource.xml", lpSrch=".for") returned 0x0 [0043.042] lstrcmpW (lpString1="resource.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0043.042] lstrcmpW (lpString1="resource.xml", lpString2="taridd") returned -1 [0043.042] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\resource.xml", lpStr2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\3pRMMVYZl7L6YCH05Qf1aBB2Nvhrv3", nChar=122) returned -1 [0043.042] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\resource.xml" (normalized: "c:\\programdata\\microsoft\\device stage\\task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\resource.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0043.059] FindNextFileW (in: hFindFile=0x535ba0, lpFindFileData=0x2d8eb60 | out: lpFindFileData=0x2d8eb60*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd2cf1dfd, ftCreationTime.dwHighDateTime=0x1ca0407, ftLastAccessTime.dwLowDateTime=0xd2cf1dfd, ftLastAccessTime.dwHighDateTime=0x1ca0407, ftLastWriteTime.dwLowDateTime=0x7c1f3d69, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0xcaa9, dwReserved0=0x5064d8, dwReserved1=0x0, cFileName="ringtones.ico", cAlternateFileName="")) returned 1 [0043.059] lstrcmpiW (lpString1="ringtones.ico", lpString2="Windows") returned -1 [0043.059] lstrcmpiW (lpString1="ringtones.ico", lpString2="$Recycle.bin") returned 1 [0043.059] lstrcmpiW (lpString1="ringtones.ico", lpString2="System Volume Information") returned -1 [0043.059] lstrcmpiW (lpString1="ringtones.ico", lpString2="Program Files") returned 1 [0043.059] lstrcmpiW (lpString1="ringtones.ico", lpString2="Program Files (x86)") returned 1 [0043.059] wnsprintfW (in: pszDest=0x543228, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\ringtones.ico") returned 99 [0043.059] StrStrIW (lpFirst="ringtones.ico", lpSrch=".for") returned 0x0 [0043.059] lstrcmpW (lpString1="ringtones.ico", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0043.059] lstrcmpW (lpString1="ringtones.ico", lpString2="taridd") returned -1 [0043.059] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\ringtones.ico", lpStr2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\3pRMMVYZl7L6YCH05Qf1aBB2Nvhrv3", nChar=122) returned -1 [0043.059] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\ringtones.ico" (normalized: "c:\\programdata\\microsoft\\device stage\\task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\ringtones.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0043.059] FindNextFileW (in: hFindFile=0x535ba0, lpFindFileData=0x2d8eb60 | out: lpFindFileData=0x2d8eb60*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd2d17f5a, ftCreationTime.dwHighDateTime=0x1ca0407, ftLastAccessTime.dwLowDateTime=0xd2d17f5a, ftLastAccessTime.dwHighDateTime=0x1ca0407, ftLastWriteTime.dwLowDateTime=0x7c1f3d69, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0x10850, dwReserved0=0x5064d8, dwReserved1=0x0, cFileName="settings.ico", cAlternateFileName="")) returned 1 [0043.059] lstrcmpiW (lpString1="settings.ico", lpString2="Windows") returned -1 [0043.059] lstrcmpiW (lpString1="settings.ico", lpString2="$Recycle.bin") returned 1 [0043.059] lstrcmpiW (lpString1="settings.ico", lpString2="System Volume Information") returned -1 [0043.059] lstrcmpiW (lpString1="settings.ico", lpString2="Program Files") returned 1 [0043.059] lstrcmpiW (lpString1="settings.ico", lpString2="Program Files (x86)") returned 1 [0043.059] wnsprintfW (in: pszDest=0x543228, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\settings.ico") returned 98 [0043.060] StrStrIW (lpFirst="settings.ico", lpSrch=".for") returned 0x0 [0043.060] lstrcmpW (lpString1="settings.ico", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0043.060] lstrcmpW (lpString1="settings.ico", lpString2="taridd") returned -1 [0043.060] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\settings.ico", lpStr2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\3pRMMVYZl7L6YCH05Qf1aBB2Nvhrv3", nChar=122) returned -1 [0043.060] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\settings.ico" (normalized: "c:\\programdata\\microsoft\\device stage\\task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\settings.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0043.060] FindNextFileW (in: hFindFile=0x535ba0, lpFindFileData=0x2d8eb60 | out: lpFindFileData=0x2d8eb60*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd2d3e0b7, ftCreationTime.dwHighDateTime=0x1ca0407, ftLastAccessTime.dwLowDateTime=0xd2d3e0b7, ftLastAccessTime.dwHighDateTime=0x1ca0407, ftLastWriteTime.dwLowDateTime=0x7c219ec7, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0xc04b, dwReserved0=0x5064d8, dwReserved1=0x0, cFileName="sync.ico", cAlternateFileName="")) returned 1 [0043.060] lstrcmpiW (lpString1="sync.ico", lpString2="Windows") returned -1 [0043.060] lstrcmpiW (lpString1="sync.ico", lpString2="$Recycle.bin") returned 1 [0043.060] lstrcmpiW (lpString1="sync.ico", lpString2="System Volume Information") returned -1 [0043.060] lstrcmpiW (lpString1="sync.ico", lpString2="Program Files") returned 1 [0043.060] lstrcmpiW (lpString1="sync.ico", lpString2="Program Files (x86)") returned 1 [0043.060] wnsprintfW (in: pszDest=0x543228, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\sync.ico") returned 94 [0043.060] StrStrIW (lpFirst="sync.ico", lpSrch=".for") returned 0x0 [0043.060] lstrcmpW (lpString1="sync.ico", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0043.060] lstrcmpW (lpString1="sync.ico", lpString2="taridd") returned -1 [0043.060] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\sync.ico", lpStr2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\3pRMMVYZl7L6YCH05Qf1aBB2Nvhrv3", nChar=122) returned -1 [0043.060] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\sync.ico" (normalized: "c:\\programdata\\microsoft\\device stage\\task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\sync.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0043.060] FindNextFileW (in: hFindFile=0x535ba0, lpFindFileData=0x2d8eb60 | out: lpFindFileData=0x2d8eb60*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7c219ec7, ftCreationTime.dwHighDateTime=0x1c9ea0e, ftLastAccessTime.dwLowDateTime=0x7c219ec7, ftLastAccessTime.dwHighDateTime=0x1c9ea0e, ftLastWriteTime.dwLowDateTime=0x7c219ec7, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0x3473, dwReserved0=0x5064d8, dwReserved1=0x0, cFileName="tasks.xml", cAlternateFileName="")) returned 1 [0043.060] lstrcmpiW (lpString1="tasks.xml", lpString2="Windows") returned -1 [0043.060] lstrcmpiW (lpString1="tasks.xml", lpString2="$Recycle.bin") returned 1 [0043.060] lstrcmpiW (lpString1="tasks.xml", lpString2="System Volume Information") returned 1 [0043.060] lstrcmpiW (lpString1="tasks.xml", lpString2="Program Files") returned 1 [0043.060] lstrcmpiW (lpString1="tasks.xml", lpString2="Program Files (x86)") returned 1 [0043.060] wnsprintfW (in: pszDest=0x543228, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\tasks.xml") returned 95 [0043.060] StrStrIW (lpFirst="tasks.xml", lpSrch=".for") returned 0x0 [0043.060] lstrcmpW (lpString1="tasks.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0043.060] lstrcmpW (lpString1="tasks.xml", lpString2="taridd") returned 1 [0043.060] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\tasks.xml", lpStr2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\3pRMMVYZl7L6YCH05Qf1aBB2Nvhrv3", nChar=122) returned -1 [0043.061] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\tasks.xml" (normalized: "c:\\programdata\\microsoft\\device stage\\task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\tasks.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0043.066] FindNextFileW (in: hFindFile=0x535ba0, lpFindFileData=0x2d8eb60 | out: lpFindFileData=0x2d8eb60*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd2d64214, ftCreationTime.dwHighDateTime=0x1ca0407, ftLastAccessTime.dwLowDateTime=0xd2d64214, ftLastAccessTime.dwHighDateTime=0x1ca0407, ftLastWriteTime.dwLowDateTime=0x7c219ec7, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0x1b9f4, dwReserved0=0x5064d8, dwReserved1=0x0, cFileName="wmp.ico", cAlternateFileName="")) returned 1 [0043.066] lstrcmpiW (lpString1="wmp.ico", lpString2="Windows") returned 1 [0043.067] lstrcmpiW (lpString1="wmp.ico", lpString2="$Recycle.bin") returned 1 [0043.067] lstrcmpiW (lpString1="wmp.ico", lpString2="System Volume Information") returned 1 [0043.068] lstrcmpiW (lpString1="wmp.ico", lpString2="Program Files") returned 1 [0043.068] lstrcmpiW (lpString1="wmp.ico", lpString2="Program Files (x86)") returned 1 [0043.156] wnsprintfW (in: pszDest=0x543228, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\wmp.ico") returned 93 [0043.156] StrStrIW (lpFirst="wmp.ico", lpSrch=".for") returned 0x0 [0043.157] lstrcmpW (lpString1="wmp.ico", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0043.157] lstrcmpW (lpString1="wmp.ico", lpString2="taridd") returned 1 [0043.158] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\wmp.ico", lpStr2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\3pRMMVYZl7L6YCH05Qf1aBB2Nvhrv3", nChar=122) returned -1 [0043.159] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\wmp.ico" (normalized: "c:\\programdata\\microsoft\\device stage\\task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\wmp.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0043.162] FindNextFileW (in: hFindFile=0x535ba0, lpFindFileData=0x2d8eb60 | out: lpFindFileData=0x2d8eb60*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd2d64214, ftCreationTime.dwHighDateTime=0x1ca0407, ftLastAccessTime.dwLowDateTime=0xd2d64214, ftLastAccessTime.dwHighDateTime=0x1ca0407, ftLastWriteTime.dwLowDateTime=0x7c219ec7, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0x1b9f4, dwReserved0=0x5064d8, dwReserved1=0x0, cFileName="wmp.ico", cAlternateFileName="")) returned 0 [0043.164] FindClose (in: hFindFile=0x535ba0 | out: hFindFile=0x535ba0) returned 1 [0043.168] wnsprintfW (in: pszDest=0x543228, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 117 [0043.169] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\microsoft\\device stage\\task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x204 [0043.174] WriteFile (in: hFile=0x204, lpBuffer=0x186440*, nNumberOfBytesToWrite=0x2b0, lpNumberOfBytesWritten=0x2d8eb2c, lpOverlapped=0x0 | out: lpBuffer=0x186440*, lpNumberOfBytesWritten=0x2d8eb2c*=0x2b0, lpOverlapped=0x0) returned 1 [0043.188] CloseHandle (hObject=0x204) returned 1 [0043.190] GetProcessHeap () returned 0x4e0000 [0043.191] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x543228 | out: hHeap=0x4e0000) returned 1 [0043.191] FindNextFileW (in: hFindFile=0x535b60, lpFindFileData=0x2d8ede8 | out: lpFindFileData=0x2d8ede8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd98f9f8, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x1d91b669, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1d91b669, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5306c8, dwReserved1=0x0, cFileName="{e35be42d-f742-4d96-a50a-1775fb1a7a42}", cAlternateFileName="{E35BE~1")) returned 1 [0043.192] lstrcmpiW (lpString1="{e35be42d-f742-4d96-a50a-1775fb1a7a42}", lpString2="Windows") returned -1 [0043.193] lstrcmpiW (lpString1="{e35be42d-f742-4d96-a50a-1775fb1a7a42}", lpString2="$Recycle.bin") returned 1 [0043.193] lstrcmpiW (lpString1="{e35be42d-f742-4d96-a50a-1775fb1a7a42}", lpString2="System Volume Information") returned -1 [0043.194] lstrcmpiW (lpString1="{e35be42d-f742-4d96-a50a-1775fb1a7a42}", lpString2="Program Files") returned -1 [0043.194] lstrcmpiW (lpString1="{e35be42d-f742-4d96-a50a-1775fb1a7a42}", lpString2="Program Files (x86)") returned -1 [0043.195] wnsprintfW (in: pszDest=0x5306d0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}") returned 85 [0043.196] lstrcmpW (lpString1="{e35be42d-f742-4d96-a50a-1775fb1a7a42}", lpString2=".") returned 1 [0043.196] lstrcmpW (lpString1="{e35be42d-f742-4d96-a50a-1775fb1a7a42}", lpString2="..") returned 1 [0043.197] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0043.198] GetProcessHeap () returned 0x4e0000 [0043.198] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x400) returned 0x543228 [0043.199] wnsprintfW (in: pszDest=0x543228, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\*") returned 87 [0043.200] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\*", lpFindFileData=0x2d8eb60 | out: lpFindFileData=0x2d8eb60*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd98f9f8, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x1d91b669, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1d91b669, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5064d8, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x535ba0 [0043.215] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0043.215] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0043.216] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0043.216] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0043.217] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0043.217] wnsprintfW (in: pszDest=0x543228, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\.") returned 87 [0043.217] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0043.218] FindNextFileW (in: hFindFile=0x535ba0, lpFindFileData=0x2d8eb60 | out: lpFindFileData=0x2d8eb60*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd98f9f8, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x1d91b669, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1d91b669, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5064d8, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0043.219] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0043.220] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0043.221] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0043.221] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0043.222] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0043.222] wnsprintfW (in: pszDest=0x543228, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\..") returned 88 [0043.223] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0043.224] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0043.225] FindNextFileW (in: hFindFile=0x535ba0, lpFindFileData=0x2d8eb60 | out: lpFindFileData=0x2d8eb60*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d91b669, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x22f23962, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1d91b669, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5064d8, dwReserved1=0x0, cFileName="en-US", cAlternateFileName="")) returned 1 [0043.226] lstrcmpiW (lpString1="en-US", lpString2="Windows") returned -1 [0043.228] lstrcmpiW (lpString1="en-US", lpString2="$Recycle.bin") returned 1 [0043.229] lstrcmpiW (lpString1="en-US", lpString2="System Volume Information") returned -1 [0043.229] lstrcmpiW (lpString1="en-US", lpString2="Program Files") returned -1 [0043.233] lstrcmpiW (lpString1="en-US", lpString2="Program Files (x86)") returned -1 [0043.233] wnsprintfW (in: pszDest=0x543228, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\en-US") returned 91 [0043.233] lstrcmpW (lpString1="en-US", lpString2=".") returned 1 [0043.234] lstrcmpW (lpString1="en-US", lpString2="..") returned 1 [0043.235] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\en-US", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0043.236] GetProcessHeap () returned 0x4e0000 [0043.236] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x400) returned 0x543630 [0043.237] wnsprintfW (in: pszDest=0x543630, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\en-US\\*") returned 93 [0043.237] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\en-US\\*", lpFindFileData=0x2d8e8d8 | out: lpFindFileData=0x2d8e8d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d91b669, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x22f23962, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1d91b669, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0xd00007d7, cFileName=".", cAlternateFileName="")) returned 0x535be0 [0043.241] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0043.241] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0043.242] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0043.242] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0043.243] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0043.243] wnsprintfW (in: pszDest=0x543630, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\en-US\\.") returned 93 [0043.245] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0043.245] FindNextFileW (in: hFindFile=0x535be0, lpFindFileData=0x2d8e8d8 | out: lpFindFileData=0x2d8e8d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d91b669, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x22f23962, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1d91b669, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0xd00007d7, cFileName="..", cAlternateFileName="")) returned 1 [0043.246] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0043.247] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0043.247] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0043.248] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0043.251] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0043.251] wnsprintfW (in: pszDest=0x543630, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\en-US\\..") returned 94 [0043.253] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0043.253] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0043.253] FindNextFileW (in: hFindFile=0x535be0, lpFindFileData=0x2d8e8d8 | out: lpFindFileData=0x2d8e8d8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb2a152a, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0xb5e9110, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0xb2a152a, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x5e8, dwReserved0=0x0, dwReserved1=0xd00007d7, cFileName="resource.xml", cAlternateFileName="")) returned 1 [0043.254] lstrcmpiW (lpString1="resource.xml", lpString2="Windows") returned -1 [0043.255] lstrcmpiW (lpString1="resource.xml", lpString2="$Recycle.bin") returned 1 [0043.256] lstrcmpiW (lpString1="resource.xml", lpString2="System Volume Information") returned -1 [0043.257] lstrcmpiW (lpString1="resource.xml", lpString2="Program Files") returned 1 [0043.257] lstrcmpiW (lpString1="resource.xml", lpString2="Program Files (x86)") returned 1 [0043.258] wnsprintfW (in: pszDest=0x543630, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\en-US\\resource.xml") returned 104 [0043.258] StrStrIW (lpFirst="resource.xml", lpSrch=".for") returned 0x0 [0043.405] lstrcmpW (lpString1="resource.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0043.405] lstrcmpW (lpString1="resource.xml", lpString2="taridd") returned -1 [0043.406] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\en-US\\resource.xml", lpStr2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\3pRMMVYZl7L6YCH05Qf1aBB2Nvhrv3", nChar=122) returned -1 [0043.406] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\en-US\\resource.xml" (normalized: "c:\\programdata\\microsoft\\device stage\\task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\en-us\\resource.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0043.411] FindNextFileW (in: hFindFile=0x535be0, lpFindFileData=0x2d8e8d8 | out: lpFindFileData=0x2d8e8d8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb2a152a, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0xb5e9110, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0xb2a152a, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x5e8, dwReserved0=0x0, dwReserved1=0xd00007d7, cFileName="resource.xml", cAlternateFileName="")) returned 0 [0043.412] FindClose (in: hFindFile=0x535be0 | out: hFindFile=0x535be0) returned 1 [0043.413] wnsprintfW (in: pszDest=0x543630, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\en-US\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 123 [0043.415] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\en-US\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\microsoft\\device stage\\task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\en-us\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x210 [0043.422] WriteFile (in: hFile=0x210, lpBuffer=0x186440*, nNumberOfBytesToWrite=0x2b0, lpNumberOfBytesWritten=0x2d8e8a4, lpOverlapped=0x0 | out: lpBuffer=0x186440*, lpNumberOfBytesWritten=0x2d8e8a4*=0x2b0, lpOverlapped=0x0) returned 1 [0043.438] CloseHandle (hObject=0x210) returned 1 [0043.440] GetProcessHeap () returned 0x4e0000 [0043.440] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x543630 | out: hHeap=0x4e0000) returned 1 [0043.441] FindNextFileW (in: hFindFile=0x535ba0, lpFindFileData=0x2d8eb60 | out: lpFindFileData=0x2d8eb60*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5f15ee9d, ftCreationTime.dwHighDateTime=0x1ca040c, ftLastAccessTime.dwLowDateTime=0x5f15ee9d, ftLastAccessTime.dwHighDateTime=0x1ca040c, ftLastWriteTime.dwLowDateTime=0xc78a2eab, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0xd0a3, dwReserved0=0x5064d8, dwReserved1=0x0, cFileName="folder.ico", cAlternateFileName="")) returned 1 [0043.442] lstrcmpiW (lpString1="folder.ico", lpString2="Windows") returned -1 [0043.443] lstrcmpiW (lpString1="folder.ico", lpString2="$Recycle.bin") returned 1 [0043.444] lstrcmpiW (lpString1="folder.ico", lpString2="System Volume Information") returned -1 [0043.444] lstrcmpiW (lpString1="folder.ico", lpString2="Program Files") returned -1 [0043.445] lstrcmpiW (lpString1="folder.ico", lpString2="Program Files (x86)") returned -1 [0043.446] wnsprintfW (in: pszDest=0x543228, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\folder.ico") returned 96 [0043.446] StrStrIW (lpFirst="folder.ico", lpSrch=".for") returned 0x0 [0043.447] lstrcmpW (lpString1="folder.ico", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0043.447] lstrcmpW (lpString1="folder.ico", lpString2="taridd") returned -1 [0043.448] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\folder.ico", lpStr2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\3pRMMVYZl7L6YCH05Qf1aBB2Nvhrv3", nChar=122) returned -1 [0043.448] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\folder.ico" (normalized: "c:\\programdata\\microsoft\\device stage\\task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\folder.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0043.451] FindNextFileW (in: hFindFile=0x535ba0, lpFindFileData=0x2d8eb60 | out: lpFindFileData=0x2d8eb60*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5f0eca86, ftCreationTime.dwHighDateTime=0x1ca040c, ftLastAccessTime.dwLowDateTime=0x5f0eca86, ftLastAccessTime.dwHighDateTime=0x1ca040c, ftLastWriteTime.dwLowDateTime=0xc78c9009, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0xe3c8, dwReserved0=0x5064d8, dwReserved1=0x0, cFileName="print_pref.ico", cAlternateFileName="")) returned 1 [0043.451] lstrcmpiW (lpString1="print_pref.ico", lpString2="Windows") returned -1 [0043.452] lstrcmpiW (lpString1="print_pref.ico", lpString2="$Recycle.bin") returned 1 [0043.453] lstrcmpiW (lpString1="print_pref.ico", lpString2="System Volume Information") returned -1 [0043.453] lstrcmpiW (lpString1="print_pref.ico", lpString2="Program Files") returned -1 [0043.454] lstrcmpiW (lpString1="print_pref.ico", lpString2="Program Files (x86)") returned -1 [0043.455] wnsprintfW (in: pszDest=0x543228, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\print_pref.ico") returned 100 [0043.455] StrStrIW (lpFirst="print_pref.ico", lpSrch=".for") returned 0x0 [0043.456] lstrcmpW (lpString1="print_pref.ico", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0043.457] lstrcmpW (lpString1="print_pref.ico", lpString2="taridd") returned -1 [0043.457] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\print_pref.ico", lpStr2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\3pRMMVYZl7L6YCH05Qf1aBB2Nvhrv3", nChar=122) returned -1 [0043.458] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\print_pref.ico" (normalized: "c:\\programdata\\microsoft\\device stage\\task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\print_pref.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0043.461] FindNextFileW (in: hFindFile=0x535ba0, lpFindFileData=0x2d8eb60 | out: lpFindFileData=0x2d8eb60*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5f0eca86, ftCreationTime.dwHighDateTime=0x1ca040c, ftLastAccessTime.dwLowDateTime=0x5f0eca86, ftLastAccessTime.dwHighDateTime=0x1ca040c, ftLastWriteTime.dwLowDateTime=0xc78c9009, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0xebb8, dwReserved0=0x5064d8, dwReserved1=0x0, cFileName="print_property.ico", cAlternateFileName="")) returned 1 [0043.462] lstrcmpiW (lpString1="print_property.ico", lpString2="Windows") returned -1 [0043.462] lstrcmpiW (lpString1="print_property.ico", lpString2="$Recycle.bin") returned 1 [0043.463] lstrcmpiW (lpString1="print_property.ico", lpString2="System Volume Information") returned -1 [0043.463] lstrcmpiW (lpString1="print_property.ico", lpString2="Program Files") returned -1 [0043.463] lstrcmpiW (lpString1="print_property.ico", lpString2="Program Files (x86)") returned -1 [0043.464] wnsprintfW (in: pszDest=0x543228, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\print_property.ico") returned 104 [0043.465] StrStrIW (lpFirst="print_property.ico", lpSrch=".for") returned 0x0 [0043.465] lstrcmpW (lpString1="print_property.ico", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0043.465] lstrcmpW (lpString1="print_property.ico", lpString2="taridd") returned -1 [0043.466] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\print_property.ico", lpStr2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\3pRMMVYZl7L6YCH05Qf1aBB2Nvhrv3", nChar=122) returned -1 [0043.467] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\print_property.ico" (normalized: "c:\\programdata\\microsoft\\device stage\\task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\print_property.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0043.469] FindNextFileW (in: hFindFile=0x535ba0, lpFindFileData=0x2d8eb60 | out: lpFindFileData=0x2d8eb60*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5f112be3, ftCreationTime.dwHighDateTime=0x1ca040c, ftLastAccessTime.dwLowDateTime=0x5f112be3, ftLastAccessTime.dwHighDateTime=0x1ca040c, ftLastWriteTime.dwLowDateTime=0xc7be8cbf, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0xdff5, dwReserved0=0x5064d8, dwReserved1=0x0, cFileName="print_queue.ico", cAlternateFileName="")) returned 1 [0043.469] lstrcmpiW (lpString1="print_queue.ico", lpString2="Windows") returned -1 [0043.470] lstrcmpiW (lpString1="print_queue.ico", lpString2="$Recycle.bin") returned 1 [0043.470] lstrcmpiW (lpString1="print_queue.ico", lpString2="System Volume Information") returned -1 [0043.471] lstrcmpiW (lpString1="print_queue.ico", lpString2="Program Files") returned -1 [0043.471] lstrcmpiW (lpString1="print_queue.ico", lpString2="Program Files (x86)") returned -1 [0043.472] wnsprintfW (in: pszDest=0x543228, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\print_queue.ico") returned 101 [0043.473] StrStrIW (lpFirst="print_queue.ico", lpSrch=".for") returned 0x0 [0043.473] lstrcmpW (lpString1="print_queue.ico", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0043.474] lstrcmpW (lpString1="print_queue.ico", lpString2="taridd") returned -1 [0043.474] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\print_queue.ico", lpStr2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\3pRMMVYZl7L6YCH05Qf1aBB2Nvhrv3", nChar=122) returned -1 [0043.475] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\print_queue.ico" (normalized: "c:\\programdata\\microsoft\\device stage\\task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\print_queue.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0043.479] FindNextFileW (in: hFindFile=0x535ba0, lpFindFileData=0x2d8eb60 | out: lpFindFileData=0x2d8eb60*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5f138d40, ftCreationTime.dwHighDateTime=0x1ca040c, ftLastAccessTime.dwLowDateTime=0x5f138d40, ftLastAccessTime.dwHighDateTime=0x1ca040c, ftLastWriteTime.dwLowDateTime=0xc7c0ee1d, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0xec75, dwReserved0=0x5064d8, dwReserved1=0x0, cFileName="scan_.ico", cAlternateFileName="")) returned 1 [0043.481] lstrcmpiW (lpString1="scan_.ico", lpString2="Windows") returned -1 [0043.481] lstrcmpiW (lpString1="scan_.ico", lpString2="$Recycle.bin") returned 1 [0043.481] lstrcmpiW (lpString1="scan_.ico", lpString2="System Volume Information") returned -1 [0043.482] lstrcmpiW (lpString1="scan_.ico", lpString2="Program Files") returned 1 [0043.482] lstrcmpiW (lpString1="scan_.ico", lpString2="Program Files (x86)") returned 1 [0043.483] wnsprintfW (in: pszDest=0x543228, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\scan_.ico") returned 95 [0043.484] StrStrIW (lpFirst="scan_.ico", lpSrch=".for") returned 0x0 [0043.485] lstrcmpW (lpString1="scan_.ico", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0043.485] lstrcmpW (lpString1="scan_.ico", lpString2="taridd") returned -1 [0043.488] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\scan_.ico", lpStr2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\3pRMMVYZl7L6YCH05Qf1aBB2Nvhrv3", nChar=122) returned -1 [0043.493] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\scan_.ico" (normalized: "c:\\programdata\\microsoft\\device stage\\task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\scan_.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0043.516] FindNextFileW (in: hFindFile=0x535ba0, lpFindFileData=0x2d8eb60 | out: lpFindFileData=0x2d8eb60*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5f15ee9d, ftCreationTime.dwHighDateTime=0x1ca040c, ftLastAccessTime.dwLowDateTime=0x5f15ee9d, ftLastAccessTime.dwHighDateTime=0x1ca040c, ftLastWriteTime.dwLowDateTime=0xc7c0ee1d, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0x10654, dwReserved0=0x5064d8, dwReserved1=0x0, cFileName="scan_property.ico", cAlternateFileName="")) returned 1 [0043.518] lstrcmpiW (lpString1="scan_property.ico", lpString2="Windows") returned -1 [0043.518] lstrcmpiW (lpString1="scan_property.ico", lpString2="$Recycle.bin") returned 1 [0043.521] lstrcmpiW (lpString1="scan_property.ico", lpString2="System Volume Information") returned -1 [0043.522] lstrcmpiW (lpString1="scan_property.ico", lpString2="Program Files") returned 1 [0043.522] lstrcmpiW (lpString1="scan_property.ico", lpString2="Program Files (x86)") returned 1 [0043.523] wnsprintfW (in: pszDest=0x543228, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\scan_property.ico") returned 103 [0043.524] StrStrIW (lpFirst="scan_property.ico", lpSrch=".for") returned 0x0 [0043.525] lstrcmpW (lpString1="scan_property.ico", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0043.525] lstrcmpW (lpString1="scan_property.ico", lpString2="taridd") returned -1 [0043.527] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\scan_property.ico", lpStr2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\3pRMMVYZl7L6YCH05Qf1aBB2Nvhrv3", nChar=122) returned -1 [0043.530] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\scan_property.ico" (normalized: "c:\\programdata\\microsoft\\device stage\\task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\scan_property.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0043.534] FindNextFileW (in: hFindFile=0x535ba0, lpFindFileData=0x2d8eb60 | out: lpFindFileData=0x2d8eb60*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5f138d40, ftCreationTime.dwHighDateTime=0x1ca040c, ftLastAccessTime.dwLowDateTime=0x5f138d40, ftLastAccessTime.dwHighDateTime=0x1ca040c, ftLastWriteTime.dwLowDateTime=0xc7c34f7b, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0xf8c2, dwReserved0=0x5064d8, dwReserved1=0x0, cFileName="scan_settings.ico", cAlternateFileName="")) returned 1 [0043.540] lstrcmpiW (lpString1="scan_settings.ico", lpString2="Windows") returned -1 [0043.819] lstrcmpiW (lpString1="scan_settings.ico", lpString2="$Recycle.bin") returned 1 [0043.820] lstrcmpiW (lpString1="scan_settings.ico", lpString2="System Volume Information") returned -1 [0043.820] lstrcmpiW (lpString1="scan_settings.ico", lpString2="Program Files") returned 1 [0043.821] lstrcmpiW (lpString1="scan_settings.ico", lpString2="Program Files (x86)") returned 1 [0043.821] wnsprintfW (in: pszDest=0x543228, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\scan_settings.ico") returned 103 [0043.821] StrStrIW (lpFirst="scan_settings.ico", lpSrch=".for") returned 0x0 [0043.821] lstrcmpW (lpString1="scan_settings.ico", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0043.821] lstrcmpW (lpString1="scan_settings.ico", lpString2="taridd") returned -1 [0043.824] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\scan_settings.ico", lpStr2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\3pRMMVYZl7L6YCH05Qf1aBB2Nvhrv3", nChar=122) returned -1 [0043.824] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\scan_settings.ico" (normalized: "c:\\programdata\\microsoft\\device stage\\task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\scan_settings.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0043.826] FindNextFileW (in: hFindFile=0x535ba0, lpFindFileData=0x2d8eb60 | out: lpFindFileData=0x2d8eb60*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5f054512, ftCreationTime.dwHighDateTime=0x1ca040c, ftLastAccessTime.dwLowDateTime=0x5f054512, ftLastAccessTime.dwHighDateTime=0x1ca040c, ftLastWriteTime.dwLowDateTime=0xc7d3f90d, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0x2c64, dwReserved0=0x5064d8, dwReserved1=0x0, cFileName="tasks.xml", cAlternateFileName="")) returned 1 [0043.828] lstrcmpiW (lpString1="tasks.xml", lpString2="Windows") returned -1 [0043.828] lstrcmpiW (lpString1="tasks.xml", lpString2="$Recycle.bin") returned 1 [0043.828] lstrcmpiW (lpString1="tasks.xml", lpString2="System Volume Information") returned 1 [0043.828] lstrcmpiW (lpString1="tasks.xml", lpString2="Program Files") returned 1 [0043.829] lstrcmpiW (lpString1="tasks.xml", lpString2="Program Files (x86)") returned 1 [0043.831] wnsprintfW (in: pszDest=0x543228, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\tasks.xml") returned 95 [0043.832] StrStrIW (lpFirst="tasks.xml", lpSrch=".for") returned 0x0 [0043.832] lstrcmpW (lpString1="tasks.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0043.832] lstrcmpW (lpString1="tasks.xml", lpString2="taridd") returned 1 [0043.832] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\tasks.xml", lpStr2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\3pRMMVYZl7L6YCH05Qf1aBB2Nvhrv3", nChar=122) returned -1 [0043.832] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\tasks.xml" (normalized: "c:\\programdata\\microsoft\\device stage\\task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\tasks.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0043.832] FindNextFileW (in: hFindFile=0x535ba0, lpFindFileData=0x2d8eb60 | out: lpFindFileData=0x2d8eb60*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5f054512, ftCreationTime.dwHighDateTime=0x1ca040c, ftLastAccessTime.dwLowDateTime=0x5f054512, ftLastAccessTime.dwHighDateTime=0x1ca040c, ftLastWriteTime.dwLowDateTime=0xc7d3f90d, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0x2c64, dwReserved0=0x5064d8, dwReserved1=0x0, cFileName="tasks.xml", cAlternateFileName="")) returned 0 [0043.832] FindClose (in: hFindFile=0x535ba0 | out: hFindFile=0x535ba0) returned 1 [0043.833] wnsprintfW (in: pszDest=0x543228, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 117 [0043.833] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\microsoft\\device stage\\task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x204 [0043.833] WriteFile (in: hFile=0x204, lpBuffer=0x186440*, nNumberOfBytesToWrite=0x2b0, lpNumberOfBytesWritten=0x2d8eb2c, lpOverlapped=0x0 | out: lpBuffer=0x186440*, lpNumberOfBytesWritten=0x2d8eb2c*=0x2b0, lpOverlapped=0x0) returned 1 [0043.834] CloseHandle (hObject=0x204) returned 1 [0043.834] GetProcessHeap () returned 0x4e0000 [0043.834] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x543228 | out: hHeap=0x4e0000) returned 1 [0043.834] FindNextFileW (in: hFindFile=0x535b60, lpFindFileData=0x2d8ede8 | out: lpFindFileData=0x2d8ede8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd98f9f8, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x1d91b669, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1d91b669, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5306c8, dwReserved1=0x0, cFileName="{e35be42d-f742-4d96-a50a-1775fb1a7a42}", cAlternateFileName="{E35BE~1")) returned 0 [0043.834] FindClose (in: hFindFile=0x535b60 | out: hFindFile=0x535b60) returned 1 [0043.834] wnsprintfW (in: pszDest=0x5306d0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 78 [0043.834] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\microsoft\\device stage\\task\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x208 [0043.848] WriteFile (in: hFile=0x208, lpBuffer=0x186440*, nNumberOfBytesToWrite=0x2b0, lpNumberOfBytesWritten=0x2d8edb4, lpOverlapped=0x0 | out: lpBuffer=0x186440*, lpNumberOfBytesWritten=0x2d8edb4*=0x2b0, lpOverlapped=0x0) returned 1 [0043.849] CloseHandle (hObject=0x208) returned 1 [0043.849] GetProcessHeap () returned 0x4e0000 [0043.849] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x5306d0 | out: hHeap=0x4e0000) returned 1 [0043.849] FindNextFileW (in: hFindFile=0x535b20, lpFindFileData=0x2d8f070 | out: lpFindFileData=0x2d8f070*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfd96989e, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd98f9f8, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd98f9f8, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Task", cAlternateFileName="")) returned 0 [0043.849] FindClose (in: hFindFile=0x535b20 | out: hFindFile=0x535b20) returned 1 [0043.850] wnsprintfW (in: pszDest=0x542af8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 73 [0043.850] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\microsoft\\device stage\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x150 [0043.850] WriteFile (in: hFile=0x150, lpBuffer=0x186440*, nNumberOfBytesToWrite=0x2b0, lpNumberOfBytesWritten=0x2d8f03c, lpOverlapped=0x0 | out: lpBuffer=0x186440*, lpNumberOfBytesWritten=0x2d8f03c*=0x2b0, lpOverlapped=0x0) returned 1 [0043.851] CloseHandle (hObject=0x150) returned 1 [0043.851] GetProcessHeap () returned 0x4e0000 [0043.851] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x542af8 | out: hHeap=0x4e0000) returned 1 [0043.851] FindNextFileW (in: hFindFile=0x535ae0, lpFindFileData=0x2d8f2f8 | out: lpFindFileData=0x2d8f2f8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd98f9f8, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd98f9f8, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xd789d88f, ftLastWriteTime.dwHighDateTime=0x1ca042b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="DeviceSync", cAlternateFileName="DEVICE~2")) returned 1 [0043.851] lstrcmpiW (lpString1="DeviceSync", lpString2="Windows") returned -1 [0043.851] lstrcmpiW (lpString1="DeviceSync", lpString2="$Recycle.bin") returned 1 [0043.851] lstrcmpiW (lpString1="DeviceSync", lpString2="System Volume Information") returned -1 [0043.851] lstrcmpiW (lpString1="DeviceSync", lpString2="Program Files") returned -1 [0043.851] lstrcmpiW (lpString1="DeviceSync", lpString2="Program Files (x86)") returned -1 [0043.851] wnsprintfW (in: pszDest=0x511b40, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\DeviceSync") returned 39 [0043.851] lstrcmpW (lpString1="DeviceSync", lpString2=".") returned 1 [0043.851] lstrcmpW (lpString1="DeviceSync", lpString2="..") returned 1 [0043.851] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\DeviceSync", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0043.851] GetProcessHeap () returned 0x4e0000 [0043.851] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x400) returned 0x542af8 [0043.851] wnsprintfW (in: pszDest=0x542af8, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\DeviceSync\\*") returned 41 [0043.851] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\DeviceSync\\*", lpFindFileData=0x2d8f070 | out: lpFindFileData=0x2d8f070*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd98f9f8, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd98f9f8, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xd789d88f, ftLastWriteTime.dwHighDateTime=0x1ca042b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x535b20 [0043.856] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0043.856] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0043.856] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0043.856] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0043.856] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0043.856] wnsprintfW (in: pszDest=0x542af8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\DeviceSync\\.") returned 41 [0043.856] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0043.856] FindNextFileW (in: hFindFile=0x535b20, lpFindFileData=0x2d8f070 | out: lpFindFileData=0x2d8f070*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd98f9f8, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd98f9f8, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xd789d88f, ftLastWriteTime.dwHighDateTime=0x1ca042b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0043.856] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0043.856] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0043.856] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0043.856] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0043.856] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0043.856] wnsprintfW (in: pszDest=0x542af8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\DeviceSync\\..") returned 42 [0043.856] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0043.856] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0043.856] FindNextFileW (in: hFindFile=0x535b20, lpFindFileData=0x2d8f070 | out: lpFindFileData=0x2d8f070*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd98f9f8, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd98f9f8, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xd789d88f, ftLastWriteTime.dwHighDateTime=0x1ca042b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0 [0043.857] FindClose (in: hFindFile=0x535b20 | out: hFindFile=0x535b20) returned 1 [0043.857] wnsprintfW (in: pszDest=0x542af8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\DeviceSync\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 71 [0043.857] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\DeviceSync\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\microsoft\\devicesync\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x150 [0043.889] WriteFile (in: hFile=0x150, lpBuffer=0x186440*, nNumberOfBytesToWrite=0x2b0, lpNumberOfBytesWritten=0x2d8f03c, lpOverlapped=0x0 | out: lpBuffer=0x186440*, lpNumberOfBytesWritten=0x2d8f03c*=0x2b0, lpOverlapped=0x0) returned 1 [0043.890] CloseHandle (hObject=0x150) returned 1 [0043.890] GetProcessHeap () returned 0x4e0000 [0043.890] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x542af8 | out: hHeap=0x4e0000) returned 1 [0043.890] FindNextFileW (in: hFindFile=0x535ae0, lpFindFileData=0x2d8f2f8 | out: lpFindFileData=0x2d8f2f8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfd98f9f8, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd98f9f8, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd98f9f8, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="DRM", cAlternateFileName="")) returned 1 [0043.890] lstrcmpiW (lpString1="DRM", lpString2="Windows") returned -1 [0043.890] lstrcmpiW (lpString1="DRM", lpString2="$Recycle.bin") returned 1 [0043.890] lstrcmpiW (lpString1="DRM", lpString2="System Volume Information") returned -1 [0043.890] lstrcmpiW (lpString1="DRM", lpString2="Program Files") returned -1 [0043.890] lstrcmpiW (lpString1="DRM", lpString2="Program Files (x86)") returned -1 [0043.890] wnsprintfW (in: pszDest=0x511b40, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\DRM") returned 32 [0043.891] lstrcmpW (lpString1="DRM", lpString2=".") returned 1 [0043.891] lstrcmpW (lpString1="DRM", lpString2="..") returned 1 [0043.891] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\DRM", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0043.891] GetProcessHeap () returned 0x4e0000 [0043.891] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x400) returned 0x542af8 [0043.891] wnsprintfW (in: pszDest=0x542af8, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\DRM\\*") returned 34 [0043.891] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\DRM\\*", lpFindFileData=0x2d8f070 | out: lpFindFileData=0x2d8f070*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfd98f9f8, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd98f9f8, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd98f9f8, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x535b20 [0043.891] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0043.891] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0043.891] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0043.891] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0043.891] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0043.891] wnsprintfW (in: pszDest=0x542af8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\DRM\\.") returned 34 [0043.891] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0043.891] FindNextFileW (in: hFindFile=0x535b20, lpFindFileData=0x2d8f070 | out: lpFindFileData=0x2d8f070*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfd98f9f8, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd98f9f8, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd98f9f8, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0043.891] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0043.891] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0043.891] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0043.891] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0043.891] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0043.891] wnsprintfW (in: pszDest=0x542af8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\DRM\\..") returned 35 [0043.891] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0043.891] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0043.891] FindNextFileW (in: hFindFile=0x535b20, lpFindFileData=0x2d8f070 | out: lpFindFileData=0x2d8f070*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xfd98f9f8, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd98f9f8, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xba6f6d7d, ftLastWriteTime.dwHighDateTime=0x1ca042b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Server", cAlternateFileName="")) returned 1 [0043.891] lstrcmpiW (lpString1="Server", lpString2="Windows") returned -1 [0043.891] lstrcmpiW (lpString1="Server", lpString2="$Recycle.bin") returned 1 [0043.892] lstrcmpiW (lpString1="Server", lpString2="System Volume Information") returned -1 [0043.892] lstrcmpiW (lpString1="Server", lpString2="Program Files") returned 1 [0043.892] lstrcmpiW (lpString1="Server", lpString2="Program Files (x86)") returned 1 [0043.892] wnsprintfW (in: pszDest=0x542af8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\DRM\\Server") returned 39 [0043.892] lstrcmpW (lpString1="Server", lpString2=".") returned 1 [0043.892] lstrcmpW (lpString1="Server", lpString2="..") returned 1 [0043.892] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\DRM\\Server", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0043.892] GetProcessHeap () returned 0x4e0000 [0043.892] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x400) returned 0x5306d0 [0043.892] wnsprintfW (in: pszDest=0x5306d0, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\DRM\\Server\\*") returned 41 [0043.892] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\DRM\\Server\\*", lpFindFileData=0x2d8ede8 | out: lpFindFileData=0x2d8ede8*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xfd98f9f8, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd98f9f8, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xba6f6d7d, ftLastWriteTime.dwHighDateTime=0x1ca042b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5306c8, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x535b60 [0043.892] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0043.892] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0043.892] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0043.892] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0043.892] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0043.892] wnsprintfW (in: pszDest=0x5306d0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\DRM\\Server\\.") returned 41 [0043.892] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0043.892] StrStrIW (lpFirst=".", lpSrch=".for") returned 0x0 [0043.892] lstrcmpW (lpString1=".", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned -1 [0043.892] lstrcmpW (lpString1=".", lpString2="taridd") returned -1 [0043.892] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\DRM\\Server\\.", lpStr2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\3pRMMVYZl7L6YCH05Qf1aBB2Nvhrv3", nChar=122) returned -1 [0043.892] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\DRM\\Server\\." (normalized: "c:\\programdata\\microsoft\\drm\\server\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0043.892] FindNextFileW (in: hFindFile=0x535b60, lpFindFileData=0x2d8ede8 | out: lpFindFileData=0x2d8ede8*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xfd98f9f8, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd98f9f8, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xba6f6d7d, ftLastWriteTime.dwHighDateTime=0x1ca042b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5306c8, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0043.893] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0043.893] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0043.893] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0043.893] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0043.893] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0043.893] wnsprintfW (in: pszDest=0x5306d0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\DRM\\Server\\..") returned 42 [0043.893] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0043.893] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0043.893] StrStrIW (lpFirst="..", lpSrch=".for") returned 0x0 [0043.893] lstrcmpW (lpString1="..", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned -1 [0043.893] lstrcmpW (lpString1="..", lpString2="taridd") returned -1 [0043.893] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\DRM\\Server\\..", lpStr2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\3pRMMVYZl7L6YCH05Qf1aBB2Nvhrv3", nChar=122) returned -1 [0043.893] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\DRM\\Server\\.." (normalized: "c:\\programdata\\microsoft\\drm"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0043.893] FindNextFileW (in: hFindFile=0x535b60, lpFindFileData=0x2d8ede8 | out: lpFindFileData=0x2d8ede8*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xfd98f9f8, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd98f9f8, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xba6f6d7d, ftLastWriteTime.dwHighDateTime=0x1ca042b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5306c8, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0 [0043.893] FindClose (in: hFindFile=0x535b60 | out: hFindFile=0x535b60) returned 1 [0043.893] wnsprintfW (in: pszDest=0x5306d0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\DRM\\Server\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 71 [0043.893] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\DRM\\Server\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\microsoft\\drm\\server\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x208 [0043.893] WriteFile (in: hFile=0x208, lpBuffer=0x186440*, nNumberOfBytesToWrite=0x2b0, lpNumberOfBytesWritten=0x2d8edb4, lpOverlapped=0x0 | out: lpBuffer=0x186440*, lpNumberOfBytesWritten=0x2d8edb4*=0x2b0, lpOverlapped=0x0) returned 1 [0043.894] CloseHandle (hObject=0x208) returned 1 [0043.894] GetProcessHeap () returned 0x4e0000 [0043.894] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x5306d0 | out: hHeap=0x4e0000) returned 1 [0043.894] FindNextFileW (in: hFindFile=0x535b20, lpFindFileData=0x2d8f070 | out: lpFindFileData=0x2d8f070*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xfd98f9f8, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd98f9f8, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xba6f6d7d, ftLastWriteTime.dwHighDateTime=0x1ca042b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Server", cAlternateFileName="")) returned 0 [0043.894] FindClose (in: hFindFile=0x535b20 | out: hFindFile=0x535b20) returned 1 [0043.894] wnsprintfW (in: pszDest=0x542af8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\DRM\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 64 [0043.894] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\DRM\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\microsoft\\drm\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x150 [0043.897] WriteFile (in: hFile=0x150, lpBuffer=0x186440*, nNumberOfBytesToWrite=0x2b0, lpNumberOfBytesWritten=0x2d8f03c, lpOverlapped=0x0 | out: lpBuffer=0x186440*, lpNumberOfBytesWritten=0x2d8f03c*=0x2b0, lpOverlapped=0x0) returned 1 [0043.898] CloseHandle (hObject=0x150) returned 1 [0043.898] GetProcessHeap () returned 0x4e0000 [0043.898] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x542af8 | out: hHeap=0x4e0000) returned 1 [0043.898] FindNextFileW (in: hFindFile=0x535ae0, lpFindFileData=0x2d8f2f8 | out: lpFindFileData=0x2d8f2f8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x9182055d, ftCreationTime.dwHighDateTime=0x1cbf8eb, ftLastAccessTime.dwLowDateTime=0xaa597fc2, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0x9182055d, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="eHome", cAlternateFileName="")) returned 1 [0043.898] lstrcmpiW (lpString1="eHome", lpString2="Windows") returned -1 [0043.898] lstrcmpiW (lpString1="eHome", lpString2="$Recycle.bin") returned 1 [0043.898] lstrcmpiW (lpString1="eHome", lpString2="System Volume Information") returned -1 [0043.898] lstrcmpiW (lpString1="eHome", lpString2="Program Files") returned -1 [0043.898] lstrcmpiW (lpString1="eHome", lpString2="Program Files (x86)") returned -1 [0043.898] wnsprintfW (in: pszDest=0x511b40, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\eHome") returned 34 [0043.898] lstrcmpW (lpString1="eHome", lpString2=".") returned 1 [0043.899] lstrcmpW (lpString1="eHome", lpString2="..") returned 1 [0043.899] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\eHome", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0043.899] GetProcessHeap () returned 0x4e0000 [0043.899] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x400) returned 0x542af8 [0043.899] wnsprintfW (in: pszDest=0x542af8, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\eHome\\*") returned 36 [0043.899] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\eHome\\*", lpFindFileData=0x2d8f070 | out: lpFindFileData=0x2d8f070*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x9182055d, ftCreationTime.dwHighDateTime=0x1cbf8eb, ftLastAccessTime.dwLowDateTime=0xaa597fc2, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0x9182055d, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x535b20 [0043.899] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0043.899] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0043.899] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0043.899] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0043.899] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0043.899] wnsprintfW (in: pszDest=0x542af8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\eHome\\.") returned 36 [0043.899] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0043.899] FindNextFileW (in: hFindFile=0x535b20, lpFindFileData=0x2d8f070 | out: lpFindFileData=0x2d8f070*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x9182055d, ftCreationTime.dwHighDateTime=0x1cbf8eb, ftLastAccessTime.dwLowDateTime=0xaa597fc2, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0x9182055d, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0043.899] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0043.899] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0043.899] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0043.899] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0043.899] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0043.899] wnsprintfW (in: pszDest=0x542af8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\eHome\\..") returned 37 [0043.899] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0043.899] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0043.899] FindNextFileW (in: hFindFile=0x535b20, lpFindFileData=0x2d8f070 | out: lpFindFileData=0x2d8f070*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x9182055d, ftCreationTime.dwHighDateTime=0x1cbf8eb, ftLastAccessTime.dwLowDateTime=0xaa597fc2, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0x9182055d, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="logs", cAlternateFileName="")) returned 1 [0043.899] lstrcmpiW (lpString1="logs", lpString2="Windows") returned -1 [0043.899] lstrcmpiW (lpString1="logs", lpString2="$Recycle.bin") returned 1 [0043.899] lstrcmpiW (lpString1="logs", lpString2="System Volume Information") returned -1 [0043.900] lstrcmpiW (lpString1="logs", lpString2="Program Files") returned -1 [0043.900] lstrcmpiW (lpString1="logs", lpString2="Program Files (x86)") returned -1 [0043.900] wnsprintfW (in: pszDest=0x542af8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\eHome\\logs") returned 39 [0043.900] lstrcmpW (lpString1="logs", lpString2=".") returned 1 [0043.900] lstrcmpW (lpString1="logs", lpString2="..") returned 1 [0043.900] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\eHome\\logs", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0043.900] GetProcessHeap () returned 0x4e0000 [0043.900] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x400) returned 0x5306d0 [0043.900] wnsprintfW (in: pszDest=0x5306d0, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\eHome\\logs\\*") returned 41 [0043.900] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\eHome\\logs\\*", lpFindFileData=0x2d8ede8 | out: lpFindFileData=0x2d8ede8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x9182055d, ftCreationTime.dwHighDateTime=0x1cbf8eb, ftLastAccessTime.dwLowDateTime=0xaa597fc2, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0x9182055d, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5306c8, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x535b60 [0043.900] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0043.900] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0043.900] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0043.900] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0043.900] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0043.900] wnsprintfW (in: pszDest=0x5306d0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\eHome\\logs\\.") returned 41 [0043.900] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0043.900] FindNextFileW (in: hFindFile=0x535b60, lpFindFileData=0x2d8ede8 | out: lpFindFileData=0x2d8ede8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x9182055d, ftCreationTime.dwHighDateTime=0x1cbf8eb, ftLastAccessTime.dwLowDateTime=0xaa597fc2, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0x9182055d, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5306c8, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0043.900] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0043.900] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0043.900] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0043.900] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0043.900] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0043.900] wnsprintfW (in: pszDest=0x5306d0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\eHome\\logs\\..") returned 42 [0043.900] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0043.900] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0043.901] FindNextFileW (in: hFindFile=0x535b60, lpFindFileData=0x2d8ede8 | out: lpFindFileData=0x2d8ede8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x9182055d, ftCreationTime.dwHighDateTime=0x1cbf8eb, ftLastAccessTime.dwLowDateTime=0xaa597fc2, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0x9182055d, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5306c8, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0 [0043.901] FindClose (in: hFindFile=0x535b60 | out: hFindFile=0x535b60) returned 1 [0043.901] wnsprintfW (in: pszDest=0x5306d0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\eHome\\logs\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 71 [0043.901] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\eHome\\logs\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\microsoft\\ehome\\logs\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x208 [0043.901] WriteFile (in: hFile=0x208, lpBuffer=0x186440*, nNumberOfBytesToWrite=0x2b0, lpNumberOfBytesWritten=0x2d8edb4, lpOverlapped=0x0 | out: lpBuffer=0x186440*, lpNumberOfBytesWritten=0x2d8edb4*=0x2b0, lpOverlapped=0x0) returned 1 [0043.902] CloseHandle (hObject=0x208) returned 1 [0043.902] GetProcessHeap () returned 0x4e0000 [0043.902] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x5306d0 | out: hHeap=0x4e0000) returned 1 [0043.902] FindNextFileW (in: hFindFile=0x535b20, lpFindFileData=0x2d8f070 | out: lpFindFileData=0x2d8f070*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x9182055d, ftCreationTime.dwHighDateTime=0x1cbf8eb, ftLastAccessTime.dwLowDateTime=0xaa597fc2, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0x9182055d, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="logs", cAlternateFileName="")) returned 0 [0043.902] FindClose (in: hFindFile=0x535b20 | out: hFindFile=0x535b20) returned 1 [0043.902] wnsprintfW (in: pszDest=0x542af8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\eHome\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 66 [0043.902] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\eHome\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\microsoft\\ehome\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x150 [0043.908] WriteFile (in: hFile=0x150, lpBuffer=0x186440*, nNumberOfBytesToWrite=0x2b0, lpNumberOfBytesWritten=0x2d8f03c, lpOverlapped=0x0 | out: lpBuffer=0x186440*, lpNumberOfBytesWritten=0x2d8f03c*=0x2b0, lpOverlapped=0x0) returned 1 [0043.909] CloseHandle (hObject=0x150) returned 1 [0043.909] GetProcessHeap () returned 0x4e0000 [0043.909] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x542af8 | out: hHeap=0x4e0000) returned 1 [0043.909] FindNextFileW (in: hFindFile=0x535ae0, lpFindFileData=0x2d8f2f8 | out: lpFindFileData=0x2d8f2f8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x3235c810, ftCreationTime.dwHighDateTime=0x1d2fa9b, ftLastAccessTime.dwLowDateTime=0x3a6c7630, ftLastAccessTime.dwHighDateTime=0x1d3aaba, ftLastWriteTime.dwLowDateTime=0x3a6c7630, ftLastWriteTime.dwHighDateTime=0x1d3aaba, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Event Viewer", cAlternateFileName="EVENTV~1")) returned 1 [0043.909] lstrcmpiW (lpString1="Event Viewer", lpString2="Windows") returned -1 [0043.909] lstrcmpiW (lpString1="Event Viewer", lpString2="$Recycle.bin") returned 1 [0043.909] lstrcmpiW (lpString1="Event Viewer", lpString2="System Volume Information") returned -1 [0043.909] lstrcmpiW (lpString1="Event Viewer", lpString2="Program Files") returned -1 [0043.909] lstrcmpiW (lpString1="Event Viewer", lpString2="Program Files (x86)") returned -1 [0043.909] wnsprintfW (in: pszDest=0x511b40, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Event Viewer") returned 41 [0043.909] lstrcmpW (lpString1="Event Viewer", lpString2=".") returned 1 [0043.909] lstrcmpW (lpString1="Event Viewer", lpString2="..") returned 1 [0043.909] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Event Viewer", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0043.909] GetProcessHeap () returned 0x4e0000 [0043.910] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x400) returned 0x542af8 [0043.910] wnsprintfW (in: pszDest=0x542af8, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Event Viewer\\*") returned 43 [0043.910] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Event Viewer\\*", lpFindFileData=0x2d8f070 | out: lpFindFileData=0x2d8f070*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x3235c810, ftCreationTime.dwHighDateTime=0x1d2fa9b, ftLastAccessTime.dwLowDateTime=0x3a6c7630, ftLastAccessTime.dwHighDateTime=0x1d3aaba, ftLastWriteTime.dwLowDateTime=0x3a6c7630, ftLastWriteTime.dwHighDateTime=0x1d3aaba, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x535b20 [0043.910] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0043.910] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0043.911] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0043.911] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0043.911] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0043.911] wnsprintfW (in: pszDest=0x542af8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Event Viewer\\.") returned 43 [0043.911] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0043.911] FindNextFileW (in: hFindFile=0x535b20, lpFindFileData=0x2d8f070 | out: lpFindFileData=0x2d8f070*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x3235c810, ftCreationTime.dwHighDateTime=0x1d2fa9b, ftLastAccessTime.dwLowDateTime=0x3a6c7630, ftLastAccessTime.dwHighDateTime=0x1d3aaba, ftLastWriteTime.dwLowDateTime=0x3a6c7630, ftLastWriteTime.dwHighDateTime=0x1d3aaba, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0043.911] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0043.911] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0043.911] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0043.911] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0043.911] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0043.911] wnsprintfW (in: pszDest=0x542af8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Event Viewer\\..") returned 44 [0043.911] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0043.911] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0043.911] FindNextFileW (in: hFindFile=0x535b20, lpFindFileData=0x2d8f070 | out: lpFindFileData=0x2d8f070*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x3235c810, ftCreationTime.dwHighDateTime=0x1d2fa9b, ftLastAccessTime.dwLowDateTime=0x3235c810, ftLastAccessTime.dwHighDateTime=0x1d2fa9b, ftLastWriteTime.dwLowDateTime=0x3235c810, ftLastWriteTime.dwHighDateTime=0x1d2fa9b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Views", cAlternateFileName="")) returned 1 [0043.911] lstrcmpiW (lpString1="Views", lpString2="Windows") returned -1 [0043.911] lstrcmpiW (lpString1="Views", lpString2="$Recycle.bin") returned 1 [0043.911] lstrcmpiW (lpString1="Views", lpString2="System Volume Information") returned 1 [0043.911] lstrcmpiW (lpString1="Views", lpString2="Program Files") returned 1 [0043.911] lstrcmpiW (lpString1="Views", lpString2="Program Files (x86)") returned 1 [0043.911] wnsprintfW (in: pszDest=0x542af8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Event Viewer\\Views") returned 47 [0043.911] lstrcmpW (lpString1="Views", lpString2=".") returned 1 [0043.911] lstrcmpW (lpString1="Views", lpString2="..") returned 1 [0043.911] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Event Viewer\\Views", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0043.911] GetProcessHeap () returned 0x4e0000 [0043.911] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x400) returned 0x5306d0 [0043.911] wnsprintfW (in: pszDest=0x5306d0, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Event Viewer\\Views\\*") returned 49 [0043.911] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Event Viewer\\Views\\*", lpFindFileData=0x2d8ede8 | out: lpFindFileData=0x2d8ede8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x3235c810, ftCreationTime.dwHighDateTime=0x1d2fa9b, ftLastAccessTime.dwLowDateTime=0x3235c810, ftLastAccessTime.dwHighDateTime=0x1d2fa9b, ftLastWriteTime.dwLowDateTime=0x3235c810, ftLastWriteTime.dwHighDateTime=0x1d2fa9b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5306c8, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x535b60 [0043.912] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0043.912] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0043.912] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0043.912] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0043.912] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0043.912] wnsprintfW (in: pszDest=0x5306d0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Event Viewer\\Views\\.") returned 49 [0043.912] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0043.912] FindNextFileW (in: hFindFile=0x535b60, lpFindFileData=0x2d8ede8 | out: lpFindFileData=0x2d8ede8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x3235c810, ftCreationTime.dwHighDateTime=0x1d2fa9b, ftLastAccessTime.dwLowDateTime=0x3235c810, ftLastAccessTime.dwHighDateTime=0x1d2fa9b, ftLastWriteTime.dwLowDateTime=0x3235c810, ftLastWriteTime.dwHighDateTime=0x1d2fa9b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5306c8, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0043.912] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0043.912] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0043.912] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0043.912] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0043.912] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0043.912] wnsprintfW (in: pszDest=0x5306d0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Event Viewer\\Views\\..") returned 50 [0043.912] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0043.912] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0043.912] FindNextFileW (in: hFindFile=0x535b60, lpFindFileData=0x2d8ede8 | out: lpFindFileData=0x2d8ede8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x3235c810, ftCreationTime.dwHighDateTime=0x1d2fa9b, ftLastAccessTime.dwLowDateTime=0x3235c810, ftLastAccessTime.dwHighDateTime=0x1d2fa9b, ftLastWriteTime.dwLowDateTime=0x3235c810, ftLastWriteTime.dwHighDateTime=0x1d2fa9b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5306c8, dwReserved1=0x0, cFileName="ApplicationViewsRootNode", cAlternateFileName="APPLIC~1")) returned 1 [0043.912] lstrcmpiW (lpString1="ApplicationViewsRootNode", lpString2="Windows") returned -1 [0043.912] lstrcmpiW (lpString1="ApplicationViewsRootNode", lpString2="$Recycle.bin") returned 1 [0043.912] lstrcmpiW (lpString1="ApplicationViewsRootNode", lpString2="System Volume Information") returned -1 [0043.912] lstrcmpiW (lpString1="ApplicationViewsRootNode", lpString2="Program Files") returned -1 [0043.912] lstrcmpiW (lpString1="ApplicationViewsRootNode", lpString2="Program Files (x86)") returned -1 [0043.912] wnsprintfW (in: pszDest=0x5306d0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Event Viewer\\Views\\ApplicationViewsRootNode") returned 72 [0043.912] lstrcmpW (lpString1="ApplicationViewsRootNode", lpString2=".") returned 1 [0043.912] lstrcmpW (lpString1="ApplicationViewsRootNode", lpString2="..") returned 1 [0043.912] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Event Viewer\\Views\\ApplicationViewsRootNode", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0043.912] GetProcessHeap () returned 0x4e0000 [0043.912] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x400) returned 0x543228 [0043.912] wnsprintfW (in: pszDest=0x543228, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Event Viewer\\Views\\ApplicationViewsRootNode\\*") returned 74 [0043.912] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Event Viewer\\Views\\ApplicationViewsRootNode\\*", lpFindFileData=0x2d8eb60 | out: lpFindFileData=0x2d8eb60*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x3235c810, ftCreationTime.dwHighDateTime=0x1d2fa9b, ftLastAccessTime.dwLowDateTime=0x3235c810, ftLastAccessTime.dwHighDateTime=0x1d2fa9b, ftLastWriteTime.dwLowDateTime=0x3235c810, ftLastWriteTime.dwHighDateTime=0x1d2fa9b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5064d8, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x535ba0 [0043.913] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0043.913] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0043.913] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0043.913] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0043.913] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0043.913] wnsprintfW (in: pszDest=0x543228, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Event Viewer\\Views\\ApplicationViewsRootNode\\.") returned 74 [0043.913] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0043.913] FindNextFileW (in: hFindFile=0x535ba0, lpFindFileData=0x2d8eb60 | out: lpFindFileData=0x2d8eb60*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x3235c810, ftCreationTime.dwHighDateTime=0x1d2fa9b, ftLastAccessTime.dwLowDateTime=0x3235c810, ftLastAccessTime.dwHighDateTime=0x1d2fa9b, ftLastWriteTime.dwLowDateTime=0x3235c810, ftLastWriteTime.dwHighDateTime=0x1d2fa9b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5064d8, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0043.913] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0043.913] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0043.913] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0043.913] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0043.913] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0043.913] wnsprintfW (in: pszDest=0x543228, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Event Viewer\\Views\\ApplicationViewsRootNode\\..") returned 75 [0043.913] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0043.913] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0043.913] FindNextFileW (in: hFindFile=0x535ba0, lpFindFileData=0x2d8eb60 | out: lpFindFileData=0x2d8eb60*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x3235c810, ftCreationTime.dwHighDateTime=0x1d2fa9b, ftLastAccessTime.dwLowDateTime=0x3235c810, ftLastAccessTime.dwHighDateTime=0x1d2fa9b, ftLastWriteTime.dwLowDateTime=0x3235c810, ftLastWriteTime.dwHighDateTime=0x1d2fa9b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5064d8, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0 [0043.913] FindClose (in: hFindFile=0x535ba0 | out: hFindFile=0x535ba0) returned 1 [0043.913] wnsprintfW (in: pszDest=0x543228, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Event Viewer\\Views\\ApplicationViewsRootNode\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 104 [0043.913] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Event Viewer\\Views\\ApplicationViewsRootNode\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\microsoft\\event viewer\\views\\applicationviewsrootnode\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x204 [0043.914] WriteFile (in: hFile=0x204, lpBuffer=0x186440*, nNumberOfBytesToWrite=0x2b0, lpNumberOfBytesWritten=0x2d8eb2c, lpOverlapped=0x0 | out: lpBuffer=0x186440*, lpNumberOfBytesWritten=0x2d8eb2c*=0x2b0, lpOverlapped=0x0) returned 1 [0043.915] CloseHandle (hObject=0x204) returned 1 [0043.915] GetProcessHeap () returned 0x4e0000 [0043.915] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x543228 | out: hHeap=0x4e0000) returned 1 [0043.915] FindNextFileW (in: hFindFile=0x535b60, lpFindFileData=0x2d8ede8 | out: lpFindFileData=0x2d8ede8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x3235c810, ftCreationTime.dwHighDateTime=0x1d2fa9b, ftLastAccessTime.dwLowDateTime=0x3235c810, ftLastAccessTime.dwHighDateTime=0x1d2fa9b, ftLastWriteTime.dwLowDateTime=0x3235c810, ftLastWriteTime.dwHighDateTime=0x1d2fa9b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5306c8, dwReserved1=0x0, cFileName="ApplicationViewsRootNode", cAlternateFileName="APPLIC~1")) returned 0 [0043.915] FindClose (in: hFindFile=0x535b60 | out: hFindFile=0x535b60) returned 1 [0043.915] wnsprintfW (in: pszDest=0x5306d0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Event Viewer\\Views\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 79 [0043.915] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Event Viewer\\Views\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\microsoft\\event viewer\\views\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x208 [0043.916] WriteFile (in: hFile=0x208, lpBuffer=0x186440*, nNumberOfBytesToWrite=0x2b0, lpNumberOfBytesWritten=0x2d8edb4, lpOverlapped=0x0 | out: lpBuffer=0x186440*, lpNumberOfBytesWritten=0x2d8edb4*=0x2b0, lpOverlapped=0x0) returned 1 [0043.917] CloseHandle (hObject=0x208) returned 1 [0043.917] GetProcessHeap () returned 0x4e0000 [0043.917] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x5306d0 | out: hHeap=0x4e0000) returned 1 [0043.917] FindNextFileW (in: hFindFile=0x535b20, lpFindFileData=0x2d8f070 | out: lpFindFileData=0x2d8f070*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x3235c810, ftCreationTime.dwHighDateTime=0x1d2fa9b, ftLastAccessTime.dwLowDateTime=0x3235c810, ftLastAccessTime.dwHighDateTime=0x1d2fa9b, ftLastWriteTime.dwLowDateTime=0x3235c810, ftLastWriteTime.dwHighDateTime=0x1d2fa9b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Views", cAlternateFileName="")) returned 0 [0043.917] FindClose (in: hFindFile=0x535b20 | out: hFindFile=0x535b20) returned 1 [0043.917] wnsprintfW (in: pszDest=0x542af8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Event Viewer\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 73 [0043.917] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Event Viewer\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\microsoft\\event viewer\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x150 [0043.917] WriteFile (in: hFile=0x150, lpBuffer=0x186440*, nNumberOfBytesToWrite=0x2b0, lpNumberOfBytesWritten=0x2d8f03c, lpOverlapped=0x0 | out: lpBuffer=0x186440*, lpNumberOfBytesWritten=0x2d8f03c*=0x2b0, lpOverlapped=0x0) returned 1 [0043.918] CloseHandle (hObject=0x150) returned 1 [0043.918] GetProcessHeap () returned 0x4e0000 [0043.918] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x542af8 | out: hHeap=0x4e0000) returned 1 [0043.918] FindNextFileW (in: hFindFile=0x535ae0, lpFindFileData=0x2d8f2f8 | out: lpFindFileData=0x2d8f2f8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd98f9f8, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd9b5b52, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd9b5b52, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="IdentityCRL", cAlternateFileName="IDENTI~1")) returned 1 [0043.918] lstrcmpiW (lpString1="IdentityCRL", lpString2="Windows") returned -1 [0043.918] lstrcmpiW (lpString1="IdentityCRL", lpString2="$Recycle.bin") returned 1 [0043.918] lstrcmpiW (lpString1="IdentityCRL", lpString2="System Volume Information") returned -1 [0043.918] lstrcmpiW (lpString1="IdentityCRL", lpString2="Program Files") returned -1 [0043.918] lstrcmpiW (lpString1="IdentityCRL", lpString2="Program Files (x86)") returned -1 [0043.918] wnsprintfW (in: pszDest=0x511b40, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\IdentityCRL") returned 40 [0043.919] lstrcmpW (lpString1="IdentityCRL", lpString2=".") returned 1 [0043.919] lstrcmpW (lpString1="IdentityCRL", lpString2="..") returned 1 [0043.919] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\IdentityCRL", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0043.919] GetProcessHeap () returned 0x4e0000 [0043.919] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x400) returned 0x542af8 [0043.919] wnsprintfW (in: pszDest=0x542af8, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\IdentityCRL\\*") returned 42 [0043.919] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\IdentityCRL\\*", lpFindFileData=0x2d8f070 | out: lpFindFileData=0x2d8f070*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd98f9f8, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd9b5b52, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd9b5b52, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x535b20 [0043.919] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0043.919] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0043.919] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0043.919] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0043.919] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0043.919] wnsprintfW (in: pszDest=0x542af8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\IdentityCRL\\.") returned 42 [0043.919] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0043.919] FindNextFileW (in: hFindFile=0x535b20, lpFindFileData=0x2d8f070 | out: lpFindFileData=0x2d8f070*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd98f9f8, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd9b5b52, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd9b5b52, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0043.919] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0043.919] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0043.919] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0043.919] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0043.919] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0043.919] wnsprintfW (in: pszDest=0x542af8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\IdentityCRL\\..") returned 43 [0043.919] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0043.919] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0043.919] FindNextFileW (in: hFindFile=0x535b20, lpFindFileData=0x2d8f070 | out: lpFindFileData=0x2d8f070*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd591378b, ftCreationTime.dwHighDateTime=0x1ca042b, ftLastAccessTime.dwLowDateTime=0xd591378b, ftLastAccessTime.dwHighDateTime=0x1ca042b, ftLastWriteTime.dwLowDateTime=0x6ac29de1, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0x3d00, dwReserved0=0x0, dwReserved1=0x0, cFileName="ppcrlconfig.dll", cAlternateFileName="PPCRLC~1.DLL")) returned 1 [0043.919] lstrcmpiW (lpString1="ppcrlconfig.dll", lpString2="Windows") returned -1 [0043.920] lstrcmpiW (lpString1="ppcrlconfig.dll", lpString2="$Recycle.bin") returned 1 [0043.920] lstrcmpiW (lpString1="ppcrlconfig.dll", lpString2="System Volume Information") returned -1 [0043.920] lstrcmpiW (lpString1="ppcrlconfig.dll", lpString2="Program Files") returned -1 [0043.920] lstrcmpiW (lpString1="ppcrlconfig.dll", lpString2="Program Files (x86)") returned -1 [0043.920] wnsprintfW (in: pszDest=0x542af8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\IdentityCRL\\ppcrlconfig.dll") returned 56 [0043.920] StrStrIW (lpFirst="ppcrlconfig.dll", lpSrch=".for") returned 0x0 [0043.920] lstrcmpW (lpString1="ppcrlconfig.dll", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0043.920] lstrcmpW (lpString1="ppcrlconfig.dll", lpString2="taridd") returned -1 [0043.920] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\IdentityCRL\\ppcrlconfig.dll", lpStr2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\3pRMMVYZl7L6YCH05Qf1aBB2Nvhrv3", nChar=122) returned -1 [0043.920] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\IdentityCRL\\ppcrlconfig.dll" (normalized: "c:\\programdata\\microsoft\\identitycrl\\ppcrlconfig.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x208 [0043.920] GetTickCount () returned 0x1145725 [0043.920] GetTickCount () returned 0x1145725 [0043.920] GetTickCount () returned 0x1145725 [0043.920] GetTickCount () returned 0x1145725 [0043.920] CryptEncrypt (in: hKey=0x4ff5a8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d8ef80*, pdwDataLen=0x2d8f030*=0x2c, dwBufLen=0x80 | out: pbData=0x2d8ef80*, pdwDataLen=0x2d8f030*=0x80) returned 1 [0043.920] GetProcessHeap () returned 0x4e0000 [0043.920] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x2800) returned 0x5064d8 [0043.920] ReadFile (in: hFile=0x208, lpBuffer=0x5064d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x5064d8*, lpNumberOfBytesRead=0x2d8f034*=0x2800, lpOverlapped=0x0) returned 1 [0043.924] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0043.924] WriteFile (in: hFile=0x208, lpBuffer=0x5064d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x5064d8*, lpNumberOfBytesWritten=0x2d8f034*=0x2800, lpOverlapped=0x0) returned 1 [0043.924] GetProcessHeap () returned 0x4e0000 [0043.924] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x5064d8 | out: hHeap=0x4e0000) returned 1 [0043.924] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0043.924] WriteFile (in: hFile=0x208, lpBuffer=0x4ffe10*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x4ffe10*, lpNumberOfBytesWritten=0x2d8f034*=0x300, lpOverlapped=0x0) returned 1 [0043.925] WriteFile (in: hFile=0x208, lpBuffer=0x2d8ef80*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x2d8ef80*, lpNumberOfBytesWritten=0x2d8f034*=0x80, lpOverlapped=0x0) returned 1 [0043.925] WriteFile (in: hFile=0x208, lpBuffer=0x186230*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x186230*, lpNumberOfBytesWritten=0x2d8f034*=0x4, lpOverlapped=0x0) returned 1 [0043.925] CloseHandle (hObject=0x208) returned 1 [0043.925] GetProcessHeap () returned 0x4e0000 [0043.925] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x400) returned 0x5306d0 [0043.925] wnsprintfW (in: pszDest=0x5306d0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\IdentityCRL\\ppcrlconfig.dll_forv_{KNUJ5K}.for") returned 74 [0043.925] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\IdentityCRL\\ppcrlconfig.dll" (normalized: "c:\\programdata\\microsoft\\identitycrl\\ppcrlconfig.dll"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\IdentityCRL\\ppcrlconfig.dll_forv_{KNUJ5K}.for" (normalized: "c:\\programdata\\microsoft\\identitycrl\\ppcrlconfig.dll_forv_{knuj5k}.for")) returned 1 [0043.925] GetProcessHeap () returned 0x4e0000 [0043.925] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x5306d0 | out: hHeap=0x4e0000) returned 1 [0043.925] FindNextFileW (in: hFindFile=0x535b20, lpFindFileData=0x2d8f070 | out: lpFindFileData=0x2d8f070*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd582ef5d, ftCreationTime.dwHighDateTime=0x1ca042b, ftLastAccessTime.dwLowDateTime=0xd582ef5d, ftLastAccessTime.dwHighDateTime=0x1ca042b, ftLastWriteTime.dwLowDateTime=0x6ac4ff3f, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0x3e108, dwReserved0=0x0, dwReserved1=0x0, cFileName="ppcrlui.dll", cAlternateFileName="")) returned 1 [0043.925] lstrcmpiW (lpString1="ppcrlui.dll", lpString2="Windows") returned -1 [0043.926] lstrcmpiW (lpString1="ppcrlui.dll", lpString2="$Recycle.bin") returned 1 [0043.926] lstrcmpiW (lpString1="ppcrlui.dll", lpString2="System Volume Information") returned -1 [0043.926] lstrcmpiW (lpString1="ppcrlui.dll", lpString2="Program Files") returned -1 [0043.926] lstrcmpiW (lpString1="ppcrlui.dll", lpString2="Program Files (x86)") returned -1 [0043.926] wnsprintfW (in: pszDest=0x542af8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\IdentityCRL\\ppcrlui.dll") returned 52 [0043.926] StrStrIW (lpFirst="ppcrlui.dll", lpSrch=".for") returned 0x0 [0043.926] lstrcmpW (lpString1="ppcrlui.dll", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0043.926] lstrcmpW (lpString1="ppcrlui.dll", lpString2="taridd") returned -1 [0043.926] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\IdentityCRL\\ppcrlui.dll", lpStr2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\3pRMMVYZl7L6YCH05Qf1aBB2Nvhrv3", nChar=122) returned -1 [0043.926] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\IdentityCRL\\ppcrlui.dll" (normalized: "c:\\programdata\\microsoft\\identitycrl\\ppcrlui.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x208 [0043.927] GetTickCount () returned 0x1145725 [0043.927] GetTickCount () returned 0x1145725 [0043.927] GetTickCount () returned 0x1145725 [0043.927] GetTickCount () returned 0x1145725 [0043.927] CryptEncrypt (in: hKey=0x4ff5a8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d8ef80*, pdwDataLen=0x2d8f030*=0x2c, dwBufLen=0x80 | out: pbData=0x2d8ef80*, pdwDataLen=0x2d8f030*=0x80) returned 1 [0043.927] GetProcessHeap () returned 0x4e0000 [0043.927] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x2800) returned 0x5064d8 [0043.927] ReadFile (in: hFile=0x208, lpBuffer=0x5064d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x5064d8*, lpNumberOfBytesRead=0x2d8f034*=0x2800, lpOverlapped=0x0) returned 1 [0044.017] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0044.020] WriteFile (in: hFile=0x208, lpBuffer=0x5064d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x5064d8*, lpNumberOfBytesWritten=0x2d8f034*=0x2800, lpOverlapped=0x0) returned 1 [0044.025] GetProcessHeap () returned 0x4e0000 [0044.026] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x5064d8 | out: hHeap=0x4e0000) returned 1 [0044.027] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0044.029] WriteFile (in: hFile=0x208, lpBuffer=0x4ffe10*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x4ffe10*, lpNumberOfBytesWritten=0x2d8f034*=0x300, lpOverlapped=0x0) returned 1 [0044.037] WriteFile (in: hFile=0x208, lpBuffer=0x2d8ef80*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x2d8ef80*, lpNumberOfBytesWritten=0x2d8f034*=0x80, lpOverlapped=0x0) returned 1 [0044.039] WriteFile (in: hFile=0x208, lpBuffer=0x186230*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x186230*, lpNumberOfBytesWritten=0x2d8f034*=0x4, lpOverlapped=0x0) returned 1 [0044.042] CloseHandle (hObject=0x208) returned 1 [0044.045] GetProcessHeap () returned 0x4e0000 [0044.046] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x400) returned 0x5306d0 [0044.047] wnsprintfW (in: pszDest=0x5306d0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\IdentityCRL\\ppcrlui.dll_forv_{KNUJ5K}.for") returned 70 [0044.048] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\IdentityCRL\\ppcrlui.dll" (normalized: "c:\\programdata\\microsoft\\identitycrl\\ppcrlui.dll"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\IdentityCRL\\ppcrlui.dll_forv_{KNUJ5K}.for" (normalized: "c:\\programdata\\microsoft\\identitycrl\\ppcrlui.dll_forv_{knuj5k}.for")) returned 1 [0044.060] GetProcessHeap () returned 0x4e0000 [0044.061] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x5306d0 | out: hHeap=0x4e0000) returned 1 [0044.062] FindNextFileW (in: hFindFile=0x535b20, lpFindFileData=0x2d8f070 | out: lpFindFileData=0x2d8f070*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd582ef5d, ftCreationTime.dwHighDateTime=0x1ca042b, ftLastAccessTime.dwLowDateTime=0xd582ef5d, ftLastAccessTime.dwHighDateTime=0x1ca042b, ftLastWriteTime.dwLowDateTime=0x6ac4ff3f, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0x3e108, dwReserved0=0x0, dwReserved1=0x0, cFileName="ppcrlui.dll", cAlternateFileName="")) returned 0 [0044.064] FindClose (in: hFindFile=0x535b20 | out: hFindFile=0x535b20) returned 1 [0044.066] wnsprintfW (in: pszDest=0x542af8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\IdentityCRL\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 72 [0044.067] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\IdentityCRL\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\microsoft\\identitycrl\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x150 [0044.095] WriteFile (in: hFile=0x150, lpBuffer=0x186440*, nNumberOfBytesToWrite=0x2b0, lpNumberOfBytesWritten=0x2d8f03c, lpOverlapped=0x0 | out: lpBuffer=0x186440*, lpNumberOfBytesWritten=0x2d8f03c*=0x2b0, lpOverlapped=0x0) returned 1 [0044.117] CloseHandle (hObject=0x150) returned 1 [0044.123] GetProcessHeap () returned 0x4e0000 [0044.124] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x542af8 | out: hHeap=0x4e0000) returned 1 [0044.125] FindNextFileW (in: hFindFile=0x535ae0, lpFindFileData=0x2d8f2f8 | out: lpFindFileData=0x2d8f2f8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x3ee349fc, ftCreationTime.dwHighDateTime=0x1ca0441, ftLastAccessTime.dwLowDateTime=0x3ee349fc, ftLastAccessTime.dwHighDateTime=0x1ca0441, ftLastWriteTime.dwLowDateTime=0x3ee349fc, ftLastWriteTime.dwHighDateTime=0x1ca0441, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Media Player", cAlternateFileName="MEDIAP~1")) returned 1 [0044.126] lstrcmpiW (lpString1="Media Player", lpString2="Windows") returned -1 [0044.126] lstrcmpiW (lpString1="Media Player", lpString2="$Recycle.bin") returned 1 [0044.128] lstrcmpiW (lpString1="Media Player", lpString2="System Volume Information") returned -1 [0044.128] lstrcmpiW (lpString1="Media Player", lpString2="Program Files") returned -1 [0044.129] lstrcmpiW (lpString1="Media Player", lpString2="Program Files (x86)") returned -1 [0044.130] wnsprintfW (in: pszDest=0x511b40, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Media Player") returned 41 [0044.131] lstrcmpW (lpString1="Media Player", lpString2=".") returned 1 [0044.131] lstrcmpW (lpString1="Media Player", lpString2="..") returned 1 [0044.135] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Media Player", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0044.135] GetProcessHeap () returned 0x4e0000 [0044.137] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x400) returned 0x542af8 [0044.138] wnsprintfW (in: pszDest=0x542af8, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Media Player\\*") returned 43 [0044.138] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Media Player\\*", lpFindFileData=0x2d8f070 | out: lpFindFileData=0x2d8f070*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x3ee349fc, ftCreationTime.dwHighDateTime=0x1ca0441, ftLastAccessTime.dwLowDateTime=0x3ee349fc, ftLastAccessTime.dwHighDateTime=0x1ca0441, ftLastWriteTime.dwLowDateTime=0x3ee349fc, ftLastWriteTime.dwHighDateTime=0x1ca0441, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x535b20 [0044.147] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0044.147] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0044.149] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0044.149] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0044.150] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0044.151] wnsprintfW (in: pszDest=0x542af8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Media Player\\.") returned 43 [0044.152] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0044.154] FindNextFileW (in: hFindFile=0x535b20, lpFindFileData=0x2d8f070 | out: lpFindFileData=0x2d8f070*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x3ee349fc, ftCreationTime.dwHighDateTime=0x1ca0441, ftLastAccessTime.dwLowDateTime=0x3ee349fc, ftLastAccessTime.dwHighDateTime=0x1ca0441, ftLastWriteTime.dwLowDateTime=0x3ee349fc, ftLastWriteTime.dwHighDateTime=0x1ca0441, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0044.154] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0044.156] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0044.156] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0044.156] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0044.157] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0044.158] wnsprintfW (in: pszDest=0x542af8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Media Player\\..") returned 44 [0044.158] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0044.159] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0044.159] FindNextFileW (in: hFindFile=0x535b20, lpFindFileData=0x2d8f070 | out: lpFindFileData=0x2d8f070*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x3ee349fc, ftCreationTime.dwHighDateTime=0x1ca0441, ftLastAccessTime.dwLowDateTime=0x3ee349fc, ftLastAccessTime.dwHighDateTime=0x1ca0441, ftLastWriteTime.dwLowDateTime=0x3ee349fc, ftLastWriteTime.dwHighDateTime=0x1ca0441, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0 [0044.162] FindClose (in: hFindFile=0x535b20 | out: hFindFile=0x535b20) returned 1 [0044.166] wnsprintfW (in: pszDest=0x542af8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Media Player\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 73 [0044.166] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Media Player\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\microsoft\\media player\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x150 [0044.177] WriteFile (in: hFile=0x150, lpBuffer=0x186440*, nNumberOfBytesToWrite=0x2b0, lpNumberOfBytesWritten=0x2d8f03c, lpOverlapped=0x0 | out: lpBuffer=0x186440*, lpNumberOfBytesWritten=0x2d8f03c*=0x2b0, lpOverlapped=0x0) returned 1 [0044.195] CloseHandle (hObject=0x150) returned 1 [0044.198] GetProcessHeap () returned 0x4e0000 [0044.198] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x542af8 | out: hHeap=0x4e0000) returned 1 [0044.199] FindNextFileW (in: hFindFile=0x535ae0, lpFindFileData=0x2d8f2f8 | out: lpFindFileData=0x2d8f2f8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x80340916, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x80340916, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="MF", cAlternateFileName="")) returned 1 [0044.200] lstrcmpiW (lpString1="MF", lpString2="Windows") returned -1 [0044.201] lstrcmpiW (lpString1="MF", lpString2="$Recycle.bin") returned 1 [0044.202] lstrcmpiW (lpString1="MF", lpString2="System Volume Information") returned -1 [0044.203] lstrcmpiW (lpString1="MF", lpString2="Program Files") returned -1 [0044.205] lstrcmpiW (lpString1="MF", lpString2="Program Files (x86)") returned -1 [0044.208] wnsprintfW (in: pszDest=0x511b40, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\MF") returned 31 [0044.208] lstrcmpW (lpString1="MF", lpString2=".") returned 1 [0044.209] lstrcmpW (lpString1="MF", lpString2="..") returned 1 [0044.210] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\MF", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0044.212] GetProcessHeap () returned 0x4e0000 [0044.212] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x400) returned 0x542af8 [0044.214] wnsprintfW (in: pszDest=0x542af8, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\MF\\*") returned 33 [0044.214] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\MF\\*", lpFindFileData=0x2d8f070 | out: lpFindFileData=0x2d8f070*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x80340916, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x80340916, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x535b20 [0044.219] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0044.221] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0044.221] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0044.222] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0044.223] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0044.223] wnsprintfW (in: pszDest=0x542af8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\MF\\.") returned 33 [0044.224] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0044.224] FindNextFileW (in: hFindFile=0x535b20, lpFindFileData=0x2d8f070 | out: lpFindFileData=0x2d8f070*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x80340916, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x80340916, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0044.237] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0044.237] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0044.237] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0044.237] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0044.237] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0044.237] wnsprintfW (in: pszDest=0x542af8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\MF\\..") returned 34 [0044.237] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0044.237] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0044.238] FindNextFileW (in: hFindFile=0x535b20, lpFindFileData=0x2d8f070 | out: lpFindFileData=0x2d8f070*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80340916, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x7beaaeb8, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x7beaaeb8, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x3a7c, dwReserved0=0x0, dwReserved1=0x0, cFileName="Active.GRL", cAlternateFileName="")) returned 1 [0044.238] lstrcmpiW (lpString1="Active.GRL", lpString2="Windows") returned -1 [0044.238] lstrcmpiW (lpString1="Active.GRL", lpString2="$Recycle.bin") returned 1 [0044.238] lstrcmpiW (lpString1="Active.GRL", lpString2="System Volume Information") returned -1 [0044.238] lstrcmpiW (lpString1="Active.GRL", lpString2="Program Files") returned -1 [0044.238] lstrcmpiW (lpString1="Active.GRL", lpString2="Program Files (x86)") returned -1 [0044.238] wnsprintfW (in: pszDest=0x542af8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\MF\\Active.GRL") returned 42 [0044.238] StrStrIW (lpFirst="Active.GRL", lpSrch=".for") returned 0x0 [0044.238] lstrcmpW (lpString1="Active.GRL", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0044.238] lstrcmpW (lpString1="Active.GRL", lpString2="taridd") returned -1 [0044.238] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\MF\\Active.GRL", lpStr2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\3pRMMVYZl7L6YCH05Qf1aBB2Nvhrv3", nChar=122) returned -1 [0044.238] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\MF\\Active.GRL" (normalized: "c:\\programdata\\microsoft\\mf\\active.grl"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x208 [0044.238] GetTickCount () returned 0x114585d [0044.238] GetTickCount () returned 0x114585d [0044.238] GetTickCount () returned 0x114585d [0044.238] GetTickCount () returned 0x114585d [0044.238] CryptEncrypt (in: hKey=0x4ff5a8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d8ef80*, pdwDataLen=0x2d8f030*=0x2c, dwBufLen=0x80 | out: pbData=0x2d8ef80*, pdwDataLen=0x2d8f030*=0x80) returned 1 [0044.238] GetProcessHeap () returned 0x4e0000 [0044.238] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x2800) returned 0x5064d8 [0044.238] ReadFile (in: hFile=0x208, lpBuffer=0x5064d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x5064d8*, lpNumberOfBytesRead=0x2d8f034*=0x2800, lpOverlapped=0x0) returned 1 [0044.242] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0044.242] WriteFile (in: hFile=0x208, lpBuffer=0x5064d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x5064d8*, lpNumberOfBytesWritten=0x2d8f034*=0x2800, lpOverlapped=0x0) returned 1 [0044.243] GetProcessHeap () returned 0x4e0000 [0044.243] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x5064d8 | out: hHeap=0x4e0000) returned 1 [0044.243] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0044.243] WriteFile (in: hFile=0x208, lpBuffer=0x4ffe10*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x4ffe10*, lpNumberOfBytesWritten=0x2d8f034*=0x300, lpOverlapped=0x0) returned 1 [0044.243] WriteFile (in: hFile=0x208, lpBuffer=0x2d8ef80*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x2d8ef80*, lpNumberOfBytesWritten=0x2d8f034*=0x80, lpOverlapped=0x0) returned 1 [0044.243] WriteFile (in: hFile=0x208, lpBuffer=0x186230*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x186230*, lpNumberOfBytesWritten=0x2d8f034*=0x4, lpOverlapped=0x0) returned 1 [0044.243] CloseHandle (hObject=0x208) returned 1 [0044.243] GetProcessHeap () returned 0x4e0000 [0044.243] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x400) returned 0x5306d0 [0044.243] wnsprintfW (in: pszDest=0x5306d0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\MF\\Active.GRL_forv_{KNUJ5K}.for") returned 60 [0044.243] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\MF\\Active.GRL" (normalized: "c:\\programdata\\microsoft\\mf\\active.grl"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\MF\\Active.GRL_forv_{KNUJ5K}.for" (normalized: "c:\\programdata\\microsoft\\mf\\active.grl_forv_{knuj5k}.for")) returned 1 [0044.244] GetProcessHeap () returned 0x4e0000 [0044.244] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x5306d0 | out: hHeap=0x4e0000) returned 1 [0044.244] FindNextFileW (in: hFindFile=0x535b20, lpFindFileData=0x2d8f070 | out: lpFindFileData=0x2d8f070*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80340916, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x7bed1018, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x7bed1018, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x3a7c, dwReserved0=0x0, dwReserved1=0x0, cFileName="Pending.GRL", cAlternateFileName="")) returned 1 [0044.244] lstrcmpiW (lpString1="Pending.GRL", lpString2="Windows") returned -1 [0044.244] lstrcmpiW (lpString1="Pending.GRL", lpString2="$Recycle.bin") returned 1 [0044.244] lstrcmpiW (lpString1="Pending.GRL", lpString2="System Volume Information") returned -1 [0044.244] lstrcmpiW (lpString1="Pending.GRL", lpString2="Program Files") returned -1 [0044.244] lstrcmpiW (lpString1="Pending.GRL", lpString2="Program Files (x86)") returned -1 [0044.244] wnsprintfW (in: pszDest=0x542af8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\MF\\Pending.GRL") returned 43 [0044.244] StrStrIW (lpFirst="Pending.GRL", lpSrch=".for") returned 0x0 [0044.244] lstrcmpW (lpString1="Pending.GRL", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0044.244] lstrcmpW (lpString1="Pending.GRL", lpString2="taridd") returned -1 [0044.244] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\MF\\Pending.GRL", lpStr2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\3pRMMVYZl7L6YCH05Qf1aBB2Nvhrv3", nChar=122) returned -1 [0044.244] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\MF\\Pending.GRL" (normalized: "c:\\programdata\\microsoft\\mf\\pending.grl"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x208 [0044.244] GetTickCount () returned 0x114586d [0044.244] GetTickCount () returned 0x114586d [0044.244] GetTickCount () returned 0x114586d [0044.244] GetTickCount () returned 0x114586d [0044.244] CryptEncrypt (in: hKey=0x4ff5a8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d8ef80*, pdwDataLen=0x2d8f030*=0x2c, dwBufLen=0x80 | out: pbData=0x2d8ef80*, pdwDataLen=0x2d8f030*=0x80) returned 1 [0044.245] GetProcessHeap () returned 0x4e0000 [0044.245] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x2800) returned 0x5064d8 [0044.245] ReadFile (in: hFile=0x208, lpBuffer=0x5064d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x5064d8*, lpNumberOfBytesRead=0x2d8f034*=0x2800, lpOverlapped=0x0) returned 1 [0044.573] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0044.573] WriteFile (in: hFile=0x208, lpBuffer=0x5064d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x5064d8*, lpNumberOfBytesWritten=0x2d8f034*=0x2800, lpOverlapped=0x0) returned 1 [0044.573] GetProcessHeap () returned 0x4e0000 [0044.573] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x5064d8 | out: hHeap=0x4e0000) returned 1 [0044.573] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0044.573] WriteFile (in: hFile=0x208, lpBuffer=0x4ffe10*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x4ffe10*, lpNumberOfBytesWritten=0x2d8f034*=0x300, lpOverlapped=0x0) returned 1 [0044.616] WriteFile (in: hFile=0x208, lpBuffer=0x2d8ef80*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x2d8ef80*, lpNumberOfBytesWritten=0x2d8f034*=0x80, lpOverlapped=0x0) returned 1 [0044.616] WriteFile (in: hFile=0x208, lpBuffer=0x186230*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x186230*, lpNumberOfBytesWritten=0x2d8f034*=0x4, lpOverlapped=0x0) returned 1 [0044.616] CloseHandle (hObject=0x208) returned 1 [0044.616] GetProcessHeap () returned 0x4e0000 [0044.616] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x400) returned 0x5306d0 [0044.616] wnsprintfW (in: pszDest=0x5306d0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\MF\\Pending.GRL_forv_{KNUJ5K}.for") returned 61 [0044.616] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\MF\\Pending.GRL" (normalized: "c:\\programdata\\microsoft\\mf\\pending.grl"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\MF\\Pending.GRL_forv_{KNUJ5K}.for" (normalized: "c:\\programdata\\microsoft\\mf\\pending.grl_forv_{knuj5k}.for")) returned 1 [0044.617] GetProcessHeap () returned 0x4e0000 [0044.617] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x5306d0 | out: hHeap=0x4e0000) returned 1 [0044.617] FindNextFileW (in: hFindFile=0x535b20, lpFindFileData=0x2d8f070 | out: lpFindFileData=0x2d8f070*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80340916, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x7bed1018, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x7bed1018, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x3a7c, dwReserved0=0x0, dwReserved1=0x0, cFileName="Pending.GRL", cAlternateFileName="")) returned 0 [0044.617] FindClose (in: hFindFile=0x535b20 | out: hFindFile=0x535b20) returned 1 [0044.617] wnsprintfW (in: pszDest=0x542af8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\MF\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 63 [0044.617] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\MF\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\microsoft\\mf\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x150 [0044.624] WriteFile (in: hFile=0x150, lpBuffer=0x186440*, nNumberOfBytesToWrite=0x2b0, lpNumberOfBytesWritten=0x2d8f03c, lpOverlapped=0x0 | out: lpBuffer=0x186440*, lpNumberOfBytesWritten=0x2d8f03c*=0x2b0, lpOverlapped=0x0) returned 1 [0044.625] CloseHandle (hObject=0x150) returned 1 [0044.625] GetProcessHeap () returned 0x4e0000 [0044.625] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x542af8 | out: hHeap=0x4e0000) returned 1 [0044.625] FindNextFileW (in: hFindFile=0x535ae0, lpFindFileData=0x2d8f2f8 | out: lpFindFileData=0x2d8f2f8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x50ea0e30, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x50ea0e30, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x50ea0e30, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="MSDN", cAlternateFileName="")) returned 1 [0044.625] lstrcmpiW (lpString1="MSDN", lpString2="Windows") returned -1 [0044.625] lstrcmpiW (lpString1="MSDN", lpString2="$Recycle.bin") returned 1 [0044.625] lstrcmpiW (lpString1="MSDN", lpString2="System Volume Information") returned -1 [0044.625] lstrcmpiW (lpString1="MSDN", lpString2="Program Files") returned -1 [0044.625] lstrcmpiW (lpString1="MSDN", lpString2="Program Files (x86)") returned -1 [0044.625] wnsprintfW (in: pszDest=0x511b40, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\MSDN") returned 33 [0044.625] lstrcmpW (lpString1="MSDN", lpString2=".") returned 1 [0044.625] lstrcmpW (lpString1="MSDN", lpString2="..") returned 1 [0044.625] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\MSDN", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0044.625] GetProcessHeap () returned 0x4e0000 [0044.625] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x400) returned 0x542af8 [0044.625] wnsprintfW (in: pszDest=0x542af8, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\MSDN\\*") returned 35 [0044.625] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\MSDN\\*", lpFindFileData=0x2d8f070 | out: lpFindFileData=0x2d8f070*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x50ea0e30, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x50ea0e30, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x50ea0e30, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x535b20 [0044.626] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0044.626] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0044.626] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0044.626] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0044.626] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0044.626] wnsprintfW (in: pszDest=0x542af8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\MSDN\\.") returned 35 [0044.626] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0044.626] FindNextFileW (in: hFindFile=0x535b20, lpFindFileData=0x2d8f070 | out: lpFindFileData=0x2d8f070*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x50ea0e30, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x50ea0e30, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x50ea0e30, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0044.626] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0044.626] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0044.626] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0044.626] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0044.626] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0044.626] wnsprintfW (in: pszDest=0x542af8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\MSDN\\..") returned 36 [0044.626] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0044.626] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0044.626] FindNextFileW (in: hFindFile=0x535b20, lpFindFileData=0x2d8f070 | out: lpFindFileData=0x2d8f070*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x50ea0e30, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x50ea0e30, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x50ea0e30, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="8.0", cAlternateFileName="")) returned 1 [0044.626] lstrcmpiW (lpString1="8.0", lpString2="Windows") returned -1 [0044.626] lstrcmpiW (lpString1="8.0", lpString2="$Recycle.bin") returned 1 [0044.626] lstrcmpiW (lpString1="8.0", lpString2="System Volume Information") returned -1 [0044.626] lstrcmpiW (lpString1="8.0", lpString2="Program Files") returned -1 [0044.626] lstrcmpiW (lpString1="8.0", lpString2="Program Files (x86)") returned -1 [0044.626] wnsprintfW (in: pszDest=0x542af8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\MSDN\\8.0") returned 37 [0044.626] lstrcmpW (lpString1="8.0", lpString2=".") returned 1 [0044.626] lstrcmpW (lpString1="8.0", lpString2="..") returned 1 [0044.626] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\MSDN\\8.0", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0044.627] GetProcessHeap () returned 0x4e0000 [0044.627] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x400) returned 0x5306d0 [0044.627] wnsprintfW (in: pszDest=0x5306d0, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\MSDN\\8.0\\*") returned 39 [0044.627] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\MSDN\\8.0\\*", lpFindFileData=0x2d8ede8 | out: lpFindFileData=0x2d8ede8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x50ea0e30, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x50ea0e30, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x50ea0e30, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5306c8, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x535b60 [0044.627] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0044.627] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0044.627] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0044.627] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0044.627] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0044.627] wnsprintfW (in: pszDest=0x5306d0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\MSDN\\8.0\\.") returned 39 [0044.627] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0044.627] FindNextFileW (in: hFindFile=0x535b60, lpFindFileData=0x2d8ede8 | out: lpFindFileData=0x2d8ede8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x50ea0e30, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x50ea0e30, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x50ea0e30, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5306c8, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0044.627] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0044.627] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0044.627] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0044.627] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0044.627] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0044.627] wnsprintfW (in: pszDest=0x5306d0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\MSDN\\8.0\\..") returned 40 [0044.627] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0044.627] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0044.627] FindNextFileW (in: hFindFile=0x535b60, lpFindFileData=0x2d8ede8 | out: lpFindFileData=0x2d8ede8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x50ea0e30, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x50ea0e30, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x50ea0e30, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5306c8, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0 [0044.627] FindClose (in: hFindFile=0x535b60 | out: hFindFile=0x535b60) returned 1 [0044.627] wnsprintfW (in: pszDest=0x5306d0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\MSDN\\8.0\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 69 [0044.627] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\MSDN\\8.0\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\microsoft\\msdn\\8.0\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x208 [0044.628] WriteFile (in: hFile=0x208, lpBuffer=0x186440*, nNumberOfBytesToWrite=0x2b0, lpNumberOfBytesWritten=0x2d8edb4, lpOverlapped=0x0 | out: lpBuffer=0x186440*, lpNumberOfBytesWritten=0x2d8edb4*=0x2b0, lpOverlapped=0x0) returned 1 [0044.628] CloseHandle (hObject=0x208) returned 1 [0044.629] GetProcessHeap () returned 0x4e0000 [0044.629] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x5306d0 | out: hHeap=0x4e0000) returned 1 [0044.629] FindNextFileW (in: hFindFile=0x535b20, lpFindFileData=0x2d8f070 | out: lpFindFileData=0x2d8f070*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x50ea0e30, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x50ea0e30, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x50ea0e30, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="8.0", cAlternateFileName="")) returned 0 [0044.629] FindClose (in: hFindFile=0x535b20 | out: hFindFile=0x535b20) returned 1 [0044.629] wnsprintfW (in: pszDest=0x542af8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\MSDN\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 65 [0044.629] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\MSDN\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\microsoft\\msdn\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x150 [0044.631] WriteFile (in: hFile=0x150, lpBuffer=0x186440*, nNumberOfBytesToWrite=0x2b0, lpNumberOfBytesWritten=0x2d8f03c, lpOverlapped=0x0 | out: lpBuffer=0x186440*, lpNumberOfBytesWritten=0x2d8f03c*=0x2b0, lpOverlapped=0x0) returned 1 [0044.632] CloseHandle (hObject=0x150) returned 1 [0044.632] GetProcessHeap () returned 0x4e0000 [0044.632] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x542af8 | out: hHeap=0x4e0000) returned 1 [0044.632] FindNextFileW (in: hFindFile=0x535ae0, lpFindFileData=0x2d8f2f8 | out: lpFindFileData=0x2d8f2f8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x56ac2f60, ftCreationTime.dwHighDateTime=0x1d2e676, ftLastAccessTime.dwLowDateTime=0x56ac2f60, ftLastAccessTime.dwHighDateTime=0x1d2e676, ftLastWriteTime.dwLowDateTime=0x56ac2f60, ftLastWriteTime.dwHighDateTime=0x1d2e676, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="NetFramework", cAlternateFileName="NETFRA~1")) returned 1 [0044.632] lstrcmpiW (lpString1="NetFramework", lpString2="Windows") returned -1 [0044.632] lstrcmpiW (lpString1="NetFramework", lpString2="$Recycle.bin") returned 1 [0044.632] lstrcmpiW (lpString1="NetFramework", lpString2="System Volume Information") returned -1 [0044.632] lstrcmpiW (lpString1="NetFramework", lpString2="Program Files") returned -1 [0044.632] lstrcmpiW (lpString1="NetFramework", lpString2="Program Files (x86)") returned -1 [0044.632] wnsprintfW (in: pszDest=0x511b40, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\NetFramework") returned 41 [0044.632] lstrcmpW (lpString1="NetFramework", lpString2=".") returned 1 [0044.633] lstrcmpW (lpString1="NetFramework", lpString2="..") returned 1 [0044.633] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\NetFramework", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0044.633] GetProcessHeap () returned 0x4e0000 [0044.633] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x400) returned 0x542af8 [0044.633] wnsprintfW (in: pszDest=0x542af8, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\NetFramework\\*") returned 43 [0044.633] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\NetFramework\\*", lpFindFileData=0x2d8f070 | out: lpFindFileData=0x2d8f070*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x56ac2f60, ftCreationTime.dwHighDateTime=0x1d2e676, ftLastAccessTime.dwLowDateTime=0x56ac2f60, ftLastAccessTime.dwHighDateTime=0x1d2e676, ftLastWriteTime.dwLowDateTime=0x56ac2f60, ftLastWriteTime.dwHighDateTime=0x1d2e676, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x535b20 [0044.634] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0044.634] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0044.634] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0044.634] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0044.635] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0044.635] wnsprintfW (in: pszDest=0x542af8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\NetFramework\\.") returned 43 [0044.635] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0044.635] FindNextFileW (in: hFindFile=0x535b20, lpFindFileData=0x2d8f070 | out: lpFindFileData=0x2d8f070*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x56ac2f60, ftCreationTime.dwHighDateTime=0x1d2e676, ftLastAccessTime.dwLowDateTime=0x56ac2f60, ftLastAccessTime.dwHighDateTime=0x1d2e676, ftLastWriteTime.dwLowDateTime=0x56ac2f60, ftLastWriteTime.dwHighDateTime=0x1d2e676, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0044.635] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0044.635] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0044.635] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0044.635] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0044.635] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0044.635] wnsprintfW (in: pszDest=0x542af8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\NetFramework\\..") returned 44 [0044.635] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0044.635] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0044.635] FindNextFileW (in: hFindFile=0x535b20, lpFindFileData=0x2d8f070 | out: lpFindFileData=0x2d8f070*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x56ac2f60, ftCreationTime.dwHighDateTime=0x1d2e676, ftLastAccessTime.dwLowDateTime=0x56ac2f60, ftLastAccessTime.dwHighDateTime=0x1d2e676, ftLastWriteTime.dwLowDateTime=0x56ac2f60, ftLastWriteTime.dwHighDateTime=0x1d2e676, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="BreadcrumbStore", cAlternateFileName="BREADC~1")) returned 1 [0044.635] lstrcmpiW (lpString1="BreadcrumbStore", lpString2="Windows") returned -1 [0044.635] lstrcmpiW (lpString1="BreadcrumbStore", lpString2="$Recycle.bin") returned 1 [0044.635] lstrcmpiW (lpString1="BreadcrumbStore", lpString2="System Volume Information") returned -1 [0044.635] lstrcmpiW (lpString1="BreadcrumbStore", lpString2="Program Files") returned -1 [0044.635] lstrcmpiW (lpString1="BreadcrumbStore", lpString2="Program Files (x86)") returned -1 [0044.635] wnsprintfW (in: pszDest=0x542af8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\NetFramework\\BreadcrumbStore") returned 57 [0044.635] lstrcmpW (lpString1="BreadcrumbStore", lpString2=".") returned 1 [0044.635] lstrcmpW (lpString1="BreadcrumbStore", lpString2="..") returned 1 [0044.635] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\NetFramework\\BreadcrumbStore", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0044.635] GetProcessHeap () returned 0x4e0000 [0044.635] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x400) returned 0x5306d0 [0044.635] wnsprintfW (in: pszDest=0x5306d0, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\NetFramework\\BreadcrumbStore\\*") returned 59 [0044.635] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\NetFramework\\BreadcrumbStore\\*", lpFindFileData=0x2d8ede8 | out: lpFindFileData=0x2d8ede8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x56ac2f60, ftCreationTime.dwHighDateTime=0x1d2e676, ftLastAccessTime.dwLowDateTime=0x56ac2f60, ftLastAccessTime.dwHighDateTime=0x1d2e676, ftLastWriteTime.dwLowDateTime=0x56ac2f60, ftLastWriteTime.dwHighDateTime=0x1d2e676, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5306c8, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x535b60 [0044.636] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0044.636] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0044.636] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0044.636] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0044.636] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0044.636] wnsprintfW (in: pszDest=0x5306d0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\NetFramework\\BreadcrumbStore\\.") returned 59 [0044.636] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0044.636] FindNextFileW (in: hFindFile=0x535b60, lpFindFileData=0x2d8ede8 | out: lpFindFileData=0x2d8ede8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x56ac2f60, ftCreationTime.dwHighDateTime=0x1d2e676, ftLastAccessTime.dwLowDateTime=0x56ac2f60, ftLastAccessTime.dwHighDateTime=0x1d2e676, ftLastWriteTime.dwLowDateTime=0x56ac2f60, ftLastWriteTime.dwHighDateTime=0x1d2e676, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5306c8, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0044.636] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0044.636] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0044.636] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0044.636] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0044.636] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0044.636] wnsprintfW (in: pszDest=0x5306d0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\NetFramework\\BreadcrumbStore\\..") returned 60 [0044.636] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0044.636] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0044.636] FindNextFileW (in: hFindFile=0x535b60, lpFindFileData=0x2d8ede8 | out: lpFindFileData=0x2d8ede8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x56ac2f60, ftCreationTime.dwHighDateTime=0x1d2e676, ftLastAccessTime.dwLowDateTime=0x56ac2f60, ftLastAccessTime.dwHighDateTime=0x1d2e676, ftLastWriteTime.dwLowDateTime=0x56ac2f60, ftLastWriteTime.dwHighDateTime=0x1d2e676, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5306c8, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0 [0044.636] FindClose (in: hFindFile=0x535b60 | out: hFindFile=0x535b60) returned 1 [0044.636] wnsprintfW (in: pszDest=0x5306d0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\NetFramework\\BreadcrumbStore\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 89 [0044.636] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\NetFramework\\BreadcrumbStore\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\microsoft\\netframework\\breadcrumbstore\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x208 [0044.638] WriteFile (in: hFile=0x208, lpBuffer=0x186440*, nNumberOfBytesToWrite=0x2b0, lpNumberOfBytesWritten=0x2d8edb4, lpOverlapped=0x0 | out: lpBuffer=0x186440*, lpNumberOfBytesWritten=0x2d8edb4*=0x2b0, lpOverlapped=0x0) returned 1 [0044.639] CloseHandle (hObject=0x208) returned 1 [0044.639] GetProcessHeap () returned 0x4e0000 [0044.639] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x5306d0 | out: hHeap=0x4e0000) returned 1 [0044.639] FindNextFileW (in: hFindFile=0x535b20, lpFindFileData=0x2d8f070 | out: lpFindFileData=0x2d8f070*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x56ac2f60, ftCreationTime.dwHighDateTime=0x1d2e676, ftLastAccessTime.dwLowDateTime=0x56ac2f60, ftLastAccessTime.dwHighDateTime=0x1d2e676, ftLastWriteTime.dwLowDateTime=0x56ac2f60, ftLastWriteTime.dwHighDateTime=0x1d2e676, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="BreadcrumbStore", cAlternateFileName="BREADC~1")) returned 0 [0044.639] FindClose (in: hFindFile=0x535b20 | out: hFindFile=0x535b20) returned 1 [0044.639] wnsprintfW (in: pszDest=0x542af8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\NetFramework\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 73 [0044.639] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\NetFramework\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\microsoft\\netframework\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x150 [0044.639] WriteFile (in: hFile=0x150, lpBuffer=0x186440*, nNumberOfBytesToWrite=0x2b0, lpNumberOfBytesWritten=0x2d8f03c, lpOverlapped=0x0 | out: lpBuffer=0x186440*, lpNumberOfBytesWritten=0x2d8f03c*=0x2b0, lpOverlapped=0x0) returned 1 [0044.640] CloseHandle (hObject=0x150) returned 1 [0044.640] GetProcessHeap () returned 0x4e0000 [0044.640] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x542af8 | out: hHeap=0x4e0000) returned 1 [0044.640] FindNextFileW (in: hFindFile=0x535ae0, lpFindFileData=0x2d8f2f8 | out: lpFindFileData=0x2d8f2f8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfd9b5b52, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd9b5b52, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd9b5b52, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Network", cAlternateFileName="")) returned 1 [0044.640] lstrcmpiW (lpString1="Network", lpString2="Windows") returned -1 [0044.640] lstrcmpiW (lpString1="Network", lpString2="$Recycle.bin") returned 1 [0044.640] lstrcmpiW (lpString1="Network", lpString2="System Volume Information") returned -1 [0044.641] lstrcmpiW (lpString1="Network", lpString2="Program Files") returned -1 [0044.641] lstrcmpiW (lpString1="Network", lpString2="Program Files (x86)") returned -1 [0044.641] wnsprintfW (in: pszDest=0x511b40, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Network") returned 36 [0044.641] lstrcmpW (lpString1="Network", lpString2=".") returned 1 [0044.641] lstrcmpW (lpString1="Network", lpString2="..") returned 1 [0044.641] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Network", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0044.641] GetProcessHeap () returned 0x4e0000 [0044.641] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x400) returned 0x542af8 [0044.641] wnsprintfW (in: pszDest=0x542af8, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\*") returned 38 [0044.641] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\*", lpFindFileData=0x2d8f070 | out: lpFindFileData=0x2d8f070*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfd9b5b52, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd9b5b52, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd9b5b52, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x535b20 [0044.641] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0044.641] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0044.641] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0044.641] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0044.641] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0044.641] wnsprintfW (in: pszDest=0x542af8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\.") returned 38 [0044.641] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0044.641] FindNextFileW (in: hFindFile=0x535b20, lpFindFileData=0x2d8f070 | out: lpFindFileData=0x2d8f070*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfd9b5b52, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd9b5b52, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd9b5b52, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0044.641] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0044.641] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0044.641] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0044.641] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0044.641] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0044.641] wnsprintfW (in: pszDest=0x542af8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\..") returned 39 [0044.641] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0044.641] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0044.641] FindNextFileW (in: hFindFile=0x535b20, lpFindFileData=0x2d8f070 | out: lpFindFileData=0x2d8f070*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd9b5b52, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd9b5b52, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xa68726b4, ftLastWriteTime.dwHighDateTime=0x1ca042b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Connections", cAlternateFileName="CONNEC~1")) returned 1 [0044.641] lstrcmpiW (lpString1="Connections", lpString2="Windows") returned -1 [0044.641] lstrcmpiW (lpString1="Connections", lpString2="$Recycle.bin") returned 1 [0044.641] lstrcmpiW (lpString1="Connections", lpString2="System Volume Information") returned -1 [0044.642] lstrcmpiW (lpString1="Connections", lpString2="Program Files") returned -1 [0044.642] lstrcmpiW (lpString1="Connections", lpString2="Program Files (x86)") returned -1 [0044.642] wnsprintfW (in: pszDest=0x542af8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\Connections") returned 48 [0044.642] lstrcmpW (lpString1="Connections", lpString2=".") returned 1 [0044.642] lstrcmpW (lpString1="Connections", lpString2="..") returned 1 [0044.642] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\Connections", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0044.642] GetProcessHeap () returned 0x4e0000 [0044.642] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x400) returned 0x5306d0 [0044.642] wnsprintfW (in: pszDest=0x5306d0, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\Connections\\*") returned 50 [0044.642] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\Connections\\*", lpFindFileData=0x2d8ede8 | out: lpFindFileData=0x2d8ede8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd9b5b52, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd9b5b52, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xa68726b4, ftLastWriteTime.dwHighDateTime=0x1ca042b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5306c8, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x535b60 [0044.642] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0044.642] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0044.642] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0044.642] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0044.642] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0044.642] wnsprintfW (in: pszDest=0x5306d0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\Connections\\.") returned 50 [0044.642] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0044.642] FindNextFileW (in: hFindFile=0x535b60, lpFindFileData=0x2d8ede8 | out: lpFindFileData=0x2d8ede8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd9b5b52, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd9b5b52, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xa68726b4, ftLastWriteTime.dwHighDateTime=0x1ca042b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5306c8, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0044.642] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0044.642] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0044.642] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0044.642] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0044.642] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0044.642] wnsprintfW (in: pszDest=0x5306d0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\Connections\\..") returned 51 [0044.642] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0044.642] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0044.642] FindNextFileW (in: hFindFile=0x535b60, lpFindFileData=0x2d8ede8 | out: lpFindFileData=0x2d8ede8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd9b5b52, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd9b5b52, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xa68726b4, ftLastWriteTime.dwHighDateTime=0x1ca042b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5306c8, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0 [0044.642] FindClose (in: hFindFile=0x535b60 | out: hFindFile=0x535b60) returned 1 [0044.643] wnsprintfW (in: pszDest=0x5306d0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\Connections\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 80 [0044.643] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\Connections\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\microsoft\\network\\connections\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x208 [0044.643] WriteFile (in: hFile=0x208, lpBuffer=0x186440*, nNumberOfBytesToWrite=0x2b0, lpNumberOfBytesWritten=0x2d8edb4, lpOverlapped=0x0 | out: lpBuffer=0x186440*, lpNumberOfBytesWritten=0x2d8edb4*=0x2b0, lpOverlapped=0x0) returned 1 [0044.644] CloseHandle (hObject=0x208) returned 1 [0044.644] GetProcessHeap () returned 0x4e0000 [0044.644] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x5306d0 | out: hHeap=0x4e0000) returned 1 [0044.644] FindNextFileW (in: hFindFile=0x535b20, lpFindFileData=0x2d8f070 | out: lpFindFileData=0x2d8f070*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd9b5b52, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x7606ea15, ftLastAccessTime.dwHighDateTime=0x1ca0441, ftLastWriteTime.dwLowDateTime=0x7606ea15, ftLastWriteTime.dwHighDateTime=0x1ca0441, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Downloader", cAlternateFileName="DOWNLO~1")) returned 1 [0044.644] lstrcmpiW (lpString1="Downloader", lpString2="Windows") returned -1 [0044.644] lstrcmpiW (lpString1="Downloader", lpString2="$Recycle.bin") returned 1 [0044.644] lstrcmpiW (lpString1="Downloader", lpString2="System Volume Information") returned -1 [0044.644] lstrcmpiW (lpString1="Downloader", lpString2="Program Files") returned -1 [0044.644] lstrcmpiW (lpString1="Downloader", lpString2="Program Files (x86)") returned -1 [0044.644] wnsprintfW (in: pszDest=0x542af8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\Downloader") returned 47 [0044.644] lstrcmpW (lpString1="Downloader", lpString2=".") returned 1 [0044.644] lstrcmpW (lpString1="Downloader", lpString2="..") returned 1 [0044.644] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\Downloader", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0044.644] GetProcessHeap () returned 0x4e0000 [0044.644] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x400) returned 0x5306d0 [0044.644] wnsprintfW (in: pszDest=0x5306d0, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\Downloader\\*") returned 49 [0044.644] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\Downloader\\*", lpFindFileData=0x2d8ede8 | out: lpFindFileData=0x2d8ede8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd9b5b52, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x7606ea15, ftLastAccessTime.dwHighDateTime=0x1ca0441, ftLastWriteTime.dwLowDateTime=0x7606ea15, ftLastWriteTime.dwHighDateTime=0x1ca0441, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5306c8, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x535b60 [0044.644] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0044.644] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0044.644] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0044.645] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0044.645] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0044.645] wnsprintfW (in: pszDest=0x5306d0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\Downloader\\.") returned 49 [0044.645] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0044.645] FindNextFileW (in: hFindFile=0x535b60, lpFindFileData=0x2d8ede8 | out: lpFindFileData=0x2d8ede8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd9b5b52, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x7606ea15, ftLastAccessTime.dwHighDateTime=0x1ca0441, ftLastWriteTime.dwLowDateTime=0x7606ea15, ftLastWriteTime.dwHighDateTime=0x1ca0441, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5306c8, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0044.645] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0044.645] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0044.645] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0044.645] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0044.645] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0044.645] wnsprintfW (in: pszDest=0x5306d0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\Downloader\\..") returned 50 [0044.645] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0044.645] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0044.645] FindNextFileW (in: hFindFile=0x535b60, lpFindFileData=0x2d8ede8 | out: lpFindFileData=0x2d8ede8*(dwFileAttributes=0x120, ftCreationTime.dwLowDateTime=0x7606ea15, ftCreationTime.dwHighDateTime=0x1ca0441, ftLastAccessTime.dwLowDateTime=0x7606ea15, ftLastAccessTime.dwHighDateTime=0x1ca0441, ftLastWriteTime.dwLowDateTime=0xe0118910, ftLastWriteTime.dwHighDateTime=0x1d2ddf4, nFileSizeHigh=0x0, nFileSizeLow=0x400000, dwReserved0=0x5306c8, dwReserved1=0x0, cFileName="qmgr0.dat", cAlternateFileName="")) returned 1 [0044.645] lstrcmpiW (lpString1="qmgr0.dat", lpString2="Windows") returned -1 [0044.645] lstrcmpiW (lpString1="qmgr0.dat", lpString2="$Recycle.bin") returned 1 [0044.645] lstrcmpiW (lpString1="qmgr0.dat", lpString2="System Volume Information") returned -1 [0044.645] lstrcmpiW (lpString1="qmgr0.dat", lpString2="Program Files") returned 1 [0044.645] lstrcmpiW (lpString1="qmgr0.dat", lpString2="Program Files (x86)") returned 1 [0044.645] wnsprintfW (in: pszDest=0x5306d0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\Downloader\\qmgr0.dat") returned 57 [0044.645] StrStrIW (lpFirst="qmgr0.dat", lpSrch=".for") returned 0x0 [0044.645] lstrcmpW (lpString1="qmgr0.dat", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0044.645] lstrcmpW (lpString1="qmgr0.dat", lpString2="taridd") returned -1 [0044.645] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\Downloader\\qmgr0.dat", lpStr2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\3pRMMVYZl7L6YCH05Qf1aBB2Nvhrv3", nChar=122) returned -1 [0044.645] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\Downloader\\qmgr0.dat" (normalized: "c:\\programdata\\microsoft\\network\\downloader\\qmgr0.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x204 [0044.645] GetTickCount () returned 0x11459f3 [0044.645] GetTickCount () returned 0x11459f3 [0044.645] GetTickCount () returned 0x11459f3 [0044.645] GetTickCount () returned 0x11459f3 [0044.646] CryptEncrypt (in: hKey=0x4ff5a8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d8ecf8*, pdwDataLen=0x2d8eda8*=0x2c, dwBufLen=0x80 | out: pbData=0x2d8ecf8*, pdwDataLen=0x2d8eda8*=0x80) returned 1 [0044.646] GetProcessHeap () returned 0x4e0000 [0044.646] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x2800) returned 0x5064d8 [0044.646] ReadFile (in: hFile=0x204, lpBuffer=0x5064d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2d8edac, lpOverlapped=0x0 | out: lpBuffer=0x5064d8*, lpNumberOfBytesRead=0x2d8edac*=0x2800, lpOverlapped=0x0) returned 1 [0044.647] SetFilePointerEx (in: hFile=0x204, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0044.647] WriteFile (in: hFile=0x204, lpBuffer=0x5064d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2d8edac, lpOverlapped=0x0 | out: lpBuffer=0x5064d8*, lpNumberOfBytesWritten=0x2d8edac*=0x2800, lpOverlapped=0x0) returned 1 [0044.648] GetProcessHeap () returned 0x4e0000 [0044.648] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x5064d8 | out: hHeap=0x4e0000) returned 1 [0044.648] SetFilePointerEx (in: hFile=0x204, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0044.648] WriteFile (in: hFile=0x204, lpBuffer=0x4ffe10*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x2d8edac, lpOverlapped=0x0 | out: lpBuffer=0x4ffe10*, lpNumberOfBytesWritten=0x2d8edac*=0x300, lpOverlapped=0x0) returned 1 [0044.650] WriteFile (in: hFile=0x204, lpBuffer=0x2d8ecf8*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x2d8edac, lpOverlapped=0x0 | out: lpBuffer=0x2d8ecf8*, lpNumberOfBytesWritten=0x2d8edac*=0x80, lpOverlapped=0x0) returned 1 [0044.650] WriteFile (in: hFile=0x204, lpBuffer=0x186230*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2d8edac, lpOverlapped=0x0 | out: lpBuffer=0x186230*, lpNumberOfBytesWritten=0x2d8edac*=0x4, lpOverlapped=0x0) returned 1 [0044.650] CloseHandle (hObject=0x204) returned 1 [0044.650] GetProcessHeap () returned 0x4e0000 [0044.650] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x400) returned 0x543228 [0044.651] wnsprintfW (in: pszDest=0x543228, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\Downloader\\qmgr0.dat_forv_{KNUJ5K}.for") returned 75 [0044.651] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\Downloader\\qmgr0.dat" (normalized: "c:\\programdata\\microsoft\\network\\downloader\\qmgr0.dat"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\Downloader\\qmgr0.dat_forv_{KNUJ5K}.for" (normalized: "c:\\programdata\\microsoft\\network\\downloader\\qmgr0.dat_forv_{knuj5k}.for")) returned 1 [0044.651] GetProcessHeap () returned 0x4e0000 [0044.651] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x543228 | out: hHeap=0x4e0000) returned 1 [0044.651] FindNextFileW (in: hFindFile=0x535b60, lpFindFileData=0x2d8ede8 | out: lpFindFileData=0x2d8ede8*(dwFileAttributes=0x120, ftCreationTime.dwLowDateTime=0x7606ea15, ftCreationTime.dwHighDateTime=0x1ca0441, ftLastAccessTime.dwLowDateTime=0x7606ea15, ftLastAccessTime.dwHighDateTime=0x1ca0441, ftLastWriteTime.dwLowDateTime=0xdd404870, ftLastWriteTime.dwHighDateTime=0x1d2ddf4, nFileSizeHigh=0x0, nFileSizeLow=0x400000, dwReserved0=0x5306c8, dwReserved1=0x0, cFileName="qmgr1.dat", cAlternateFileName="")) returned 1 [0044.651] lstrcmpiW (lpString1="qmgr1.dat", lpString2="Windows") returned -1 [0044.651] lstrcmpiW (lpString1="qmgr1.dat", lpString2="$Recycle.bin") returned 1 [0044.651] lstrcmpiW (lpString1="qmgr1.dat", lpString2="System Volume Information") returned -1 [0044.651] lstrcmpiW (lpString1="qmgr1.dat", lpString2="Program Files") returned 1 [0044.651] lstrcmpiW (lpString1="qmgr1.dat", lpString2="Program Files (x86)") returned 1 [0044.651] wnsprintfW (in: pszDest=0x5306d0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\Downloader\\qmgr1.dat") returned 57 [0044.651] StrStrIW (lpFirst="qmgr1.dat", lpSrch=".for") returned 0x0 [0044.651] lstrcmpW (lpString1="qmgr1.dat", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0044.651] lstrcmpW (lpString1="qmgr1.dat", lpString2="taridd") returned -1 [0044.651] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\Downloader\\qmgr1.dat", lpStr2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\3pRMMVYZl7L6YCH05Qf1aBB2Nvhrv3", nChar=122) returned -1 [0044.651] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\Downloader\\qmgr1.dat" (normalized: "c:\\programdata\\microsoft\\network\\downloader\\qmgr1.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x204 [0044.652] GetTickCount () returned 0x1145a03 [0044.652] GetTickCount () returned 0x1145a03 [0044.652] GetTickCount () returned 0x1145a03 [0044.652] GetTickCount () returned 0x1145a03 [0044.652] CryptEncrypt (in: hKey=0x4ff5a8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d8ecf8*, pdwDataLen=0x2d8eda8*=0x2c, dwBufLen=0x80 | out: pbData=0x2d8ecf8*, pdwDataLen=0x2d8eda8*=0x80) returned 1 [0044.652] GetProcessHeap () returned 0x4e0000 [0044.652] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x2800) returned 0x5064d8 [0044.652] ReadFile (in: hFile=0x204, lpBuffer=0x5064d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2d8edac, lpOverlapped=0x0 | out: lpBuffer=0x5064d8*, lpNumberOfBytesRead=0x2d8edac*=0x2800, lpOverlapped=0x0) returned 1 [0044.654] SetFilePointerEx (in: hFile=0x204, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0044.654] WriteFile (in: hFile=0x204, lpBuffer=0x5064d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2d8edac, lpOverlapped=0x0 | out: lpBuffer=0x5064d8*, lpNumberOfBytesWritten=0x2d8edac*=0x2800, lpOverlapped=0x0) returned 1 [0044.654] GetProcessHeap () returned 0x4e0000 [0044.654] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x5064d8 | out: hHeap=0x4e0000) returned 1 [0044.654] SetFilePointerEx (in: hFile=0x204, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0044.654] WriteFile (in: hFile=0x204, lpBuffer=0x4ffe10*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x2d8edac, lpOverlapped=0x0 | out: lpBuffer=0x4ffe10*, lpNumberOfBytesWritten=0x2d8edac*=0x300, lpOverlapped=0x0) returned 1 [0044.657] WriteFile (in: hFile=0x204, lpBuffer=0x2d8ecf8*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x2d8edac, lpOverlapped=0x0 | out: lpBuffer=0x2d8ecf8*, lpNumberOfBytesWritten=0x2d8edac*=0x80, lpOverlapped=0x0) returned 1 [0044.657] WriteFile (in: hFile=0x204, lpBuffer=0x186230*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2d8edac, lpOverlapped=0x0 | out: lpBuffer=0x186230*, lpNumberOfBytesWritten=0x2d8edac*=0x4, lpOverlapped=0x0) returned 1 [0044.657] CloseHandle (hObject=0x204) returned 1 [0044.657] GetProcessHeap () returned 0x4e0000 [0044.657] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x400) returned 0x543228 [0044.657] wnsprintfW (in: pszDest=0x543228, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\Downloader\\qmgr1.dat_forv_{KNUJ5K}.for") returned 75 [0044.657] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\Downloader\\qmgr1.dat" (normalized: "c:\\programdata\\microsoft\\network\\downloader\\qmgr1.dat"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\Downloader\\qmgr1.dat_forv_{KNUJ5K}.for" (normalized: "c:\\programdata\\microsoft\\network\\downloader\\qmgr1.dat_forv_{knuj5k}.for")) returned 1 [0044.658] GetProcessHeap () returned 0x4e0000 [0044.658] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x543228 | out: hHeap=0x4e0000) returned 1 [0044.658] FindNextFileW (in: hFindFile=0x535b60, lpFindFileData=0x2d8ede8 | out: lpFindFileData=0x2d8ede8*(dwFileAttributes=0x120, ftCreationTime.dwLowDateTime=0x7606ea15, ftCreationTime.dwHighDateTime=0x1ca0441, ftLastAccessTime.dwLowDateTime=0x7606ea15, ftLastAccessTime.dwHighDateTime=0x1ca0441, ftLastWriteTime.dwLowDateTime=0xdd404870, ftLastWriteTime.dwHighDateTime=0x1d2ddf4, nFileSizeHigh=0x0, nFileSizeLow=0x400000, dwReserved0=0x5306c8, dwReserved1=0x0, cFileName="qmgr1.dat", cAlternateFileName="")) returned 0 [0044.658] FindClose (in: hFindFile=0x535b60 | out: hFindFile=0x535b60) returned 1 [0044.658] wnsprintfW (in: pszDest=0x5306d0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\Downloader\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 79 [0044.658] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\Downloader\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\microsoft\\network\\downloader\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x208 [0044.659] WriteFile (in: hFile=0x208, lpBuffer=0x186440*, nNumberOfBytesToWrite=0x2b0, lpNumberOfBytesWritten=0x2d8edb4, lpOverlapped=0x0 | out: lpBuffer=0x186440*, lpNumberOfBytesWritten=0x2d8edb4*=0x2b0, lpOverlapped=0x0) returned 1 [0044.668] CloseHandle (hObject=0x208) returned 1 [0044.668] GetProcessHeap () returned 0x4e0000 [0044.668] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x5306d0 | out: hHeap=0x4e0000) returned 1 [0044.668] FindNextFileW (in: hFindFile=0x535b20, lpFindFileData=0x2d8f070 | out: lpFindFileData=0x2d8f070*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd9b5b52, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x7606ea15, ftLastAccessTime.dwHighDateTime=0x1ca0441, ftLastWriteTime.dwLowDateTime=0x7606ea15, ftLastWriteTime.dwHighDateTime=0x1ca0441, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Downloader", cAlternateFileName="DOWNLO~1")) returned 0 [0044.668] FindClose (in: hFindFile=0x535b20 | out: hFindFile=0x535b20) returned 1 [0044.668] wnsprintfW (in: pszDest=0x542af8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 68 [0044.668] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\microsoft\\network\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x150 [0044.668] WriteFile (in: hFile=0x150, lpBuffer=0x186440*, nNumberOfBytesToWrite=0x2b0, lpNumberOfBytesWritten=0x2d8f03c, lpOverlapped=0x0 | out: lpBuffer=0x186440*, lpNumberOfBytesWritten=0x2d8f03c*=0x2b0, lpOverlapped=0x0) returned 1 [0044.669] CloseHandle (hObject=0x150) returned 1 [0044.669] GetProcessHeap () returned 0x4e0000 [0044.669] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x542af8 | out: hHeap=0x4e0000) returned 1 [0044.669] FindNextFileW (in: hFindFile=0x535ae0, lpFindFileData=0x2d8f2f8 | out: lpFindFileData=0x2d8f2f8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xeed38550, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0x6d3a4910, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d3a4910, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="OFFICE", cAlternateFileName="")) returned 1 [0044.669] lstrcmpiW (lpString1="OFFICE", lpString2="Windows") returned -1 [0044.669] lstrcmpiW (lpString1="OFFICE", lpString2="$Recycle.bin") returned 1 [0044.669] lstrcmpiW (lpString1="OFFICE", lpString2="System Volume Information") returned -1 [0044.669] lstrcmpiW (lpString1="OFFICE", lpString2="Program Files") returned -1 [0044.669] lstrcmpiW (lpString1="OFFICE", lpString2="Program Files (x86)") returned -1 [0044.669] wnsprintfW (in: pszDest=0x511b40, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE") returned 35 [0044.669] lstrcmpW (lpString1="OFFICE", lpString2=".") returned 1 [0044.670] lstrcmpW (lpString1="OFFICE", lpString2="..") returned 1 [0044.670] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0044.670] GetProcessHeap () returned 0x4e0000 [0044.670] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x400) returned 0x542af8 [0044.670] wnsprintfW (in: pszDest=0x542af8, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\*") returned 37 [0044.670] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\*", lpFindFileData=0x2d8f070 | out: lpFindFileData=0x2d8f070*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xeed38550, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0x6d3a4910, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d3a4910, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x535b20 [0044.672] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0044.672] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0044.672] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0044.672] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0044.672] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0044.672] wnsprintfW (in: pszDest=0x542af8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\.") returned 37 [0044.672] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0044.672] FindNextFileW (in: hFindFile=0x535b20, lpFindFileData=0x2d8f070 | out: lpFindFileData=0x2d8f070*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xeed38550, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0x6d3a4910, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d3a4910, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0044.672] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0044.672] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0044.672] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0044.672] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0044.673] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0044.673] wnsprintfW (in: pszDest=0x542af8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\..") returned 38 [0044.673] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0044.673] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0044.673] FindNextFileW (in: hFindFile=0x535b20, lpFindFileData=0x2d8f070 | out: lpFindFileData=0x2d8f070*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x5011dd00, ftCreationTime.dwHighDateTime=0x1ca04ff, ftLastAccessTime.dwLowDateTime=0x5f409670, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x5011dd00, ftLastWriteTime.dwHighDateTime=0x1ca04ff, nFileSizeHigh=0x0, nFileSizeLow=0x1536, dwReserved0=0x0, dwReserved1=0x0, cFileName="AssetLibrary.ico", cAlternateFileName="ASSETL~1.ICO")) returned 1 [0044.673] lstrcmpiW (lpString1="AssetLibrary.ico", lpString2="Windows") returned -1 [0044.673] lstrcmpiW (lpString1="AssetLibrary.ico", lpString2="$Recycle.bin") returned 1 [0044.673] lstrcmpiW (lpString1="AssetLibrary.ico", lpString2="System Volume Information") returned -1 [0044.673] lstrcmpiW (lpString1="AssetLibrary.ico", lpString2="Program Files") returned -1 [0044.673] lstrcmpiW (lpString1="AssetLibrary.ico", lpString2="Program Files (x86)") returned -1 [0044.673] wnsprintfW (in: pszDest=0x542af8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\AssetLibrary.ico") returned 52 [0044.673] StrStrIW (lpFirst="AssetLibrary.ico", lpSrch=".for") returned 0x0 [0044.673] lstrcmpW (lpString1="AssetLibrary.ico", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0044.673] lstrcmpW (lpString1="AssetLibrary.ico", lpString2="taridd") returned -1 [0044.673] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\AssetLibrary.ico", lpStr2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\3pRMMVYZl7L6YCH05Qf1aBB2Nvhrv3", nChar=122) returned -1 [0044.673] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\AssetLibrary.ico" (normalized: "c:\\programdata\\microsoft\\office\\assetlibrary.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x208 [0044.674] GetTickCount () returned 0x1145a12 [0044.674] GetTickCount () returned 0x1145a12 [0044.674] GetTickCount () returned 0x1145a12 [0044.674] GetTickCount () returned 0x1145a12 [0044.674] CryptEncrypt (in: hKey=0x4ff5a8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d8ef80*, pdwDataLen=0x2d8f030*=0x2c, dwBufLen=0x80 | out: pbData=0x2d8ef80*, pdwDataLen=0x2d8f030*=0x80) returned 1 [0044.675] GetProcessHeap () returned 0x4e0000 [0044.675] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x2800) returned 0x5064d8 [0044.675] ReadFile (in: hFile=0x208, lpBuffer=0x5064d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x5064d8*, lpNumberOfBytesRead=0x2d8f034*=0x1536, lpOverlapped=0x0) returned 1 [0044.677] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0xffffeaca, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0044.677] WriteFile (in: hFile=0x208, lpBuffer=0x5064d8*, nNumberOfBytesToWrite=0x1536, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x5064d8*, lpNumberOfBytesWritten=0x2d8f034*=0x1536, lpOverlapped=0x0) returned 1 [0044.677] GetProcessHeap () returned 0x4e0000 [0044.677] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x5064d8 | out: hHeap=0x4e0000) returned 1 [0044.677] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0044.677] WriteFile (in: hFile=0x208, lpBuffer=0x4ffe10*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x4ffe10*, lpNumberOfBytesWritten=0x2d8f034*=0x300, lpOverlapped=0x0) returned 1 [0044.677] WriteFile (in: hFile=0x208, lpBuffer=0x2d8ef80*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x2d8ef80*, lpNumberOfBytesWritten=0x2d8f034*=0x80, lpOverlapped=0x0) returned 1 [0044.677] WriteFile (in: hFile=0x208, lpBuffer=0x186230*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x186230*, lpNumberOfBytesWritten=0x2d8f034*=0x4, lpOverlapped=0x0) returned 1 [0044.677] CloseHandle (hObject=0x208) returned 1 [0044.677] GetProcessHeap () returned 0x4e0000 [0044.677] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x400) returned 0x5306d0 [0044.678] wnsprintfW (in: pszDest=0x5306d0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\AssetLibrary.ico_forv_{KNUJ5K}.for") returned 70 [0044.678] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\AssetLibrary.ico" (normalized: "c:\\programdata\\microsoft\\office\\assetlibrary.ico"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\AssetLibrary.ico_forv_{KNUJ5K}.for" (normalized: "c:\\programdata\\microsoft\\office\\assetlibrary.ico_forv_{knuj5k}.for")) returned 1 [0044.679] GetProcessHeap () returned 0x4e0000 [0044.679] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x5306d0 | out: hHeap=0x4e0000) returned 1 [0044.679] FindNextFileW (in: hFindFile=0x535b20, lpFindFileData=0x2d8f070 | out: lpFindFileData=0x2d8f070*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xabeeea00, ftCreationTime.dwHighDateTime=0x1c63848, ftLastAccessTime.dwLowDateTime=0x51e19d30, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xabeeea00, ftLastWriteTime.dwHighDateTime=0x1c63848, nFileSizeHigh=0x0, nFileSizeLow=0x627e, dwReserved0=0x0, dwReserved1=0x0, cFileName="DocumentRepository.ico", cAlternateFileName="DOCUME~1.ICO")) returned 1 [0044.679] lstrcmpiW (lpString1="DocumentRepository.ico", lpString2="Windows") returned -1 [0044.679] lstrcmpiW (lpString1="DocumentRepository.ico", lpString2="$Recycle.bin") returned 1 [0044.679] lstrcmpiW (lpString1="DocumentRepository.ico", lpString2="System Volume Information") returned -1 [0044.679] lstrcmpiW (lpString1="DocumentRepository.ico", lpString2="Program Files") returned -1 [0044.679] lstrcmpiW (lpString1="DocumentRepository.ico", lpString2="Program Files (x86)") returned -1 [0044.679] wnsprintfW (in: pszDest=0x542af8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\DocumentRepository.ico") returned 58 [0044.679] StrStrIW (lpFirst="DocumentRepository.ico", lpSrch=".for") returned 0x0 [0044.679] lstrcmpW (lpString1="DocumentRepository.ico", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0044.679] lstrcmpW (lpString1="DocumentRepository.ico", lpString2="taridd") returned -1 [0044.679] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\DocumentRepository.ico", lpStr2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\3pRMMVYZl7L6YCH05Qf1aBB2Nvhrv3", nChar=122) returned -1 [0044.679] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\DocumentRepository.ico" (normalized: "c:\\programdata\\microsoft\\office\\documentrepository.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x208 [0044.680] GetTickCount () returned 0x1145a22 [0044.680] GetTickCount () returned 0x1145a22 [0044.680] GetTickCount () returned 0x1145a22 [0044.680] GetTickCount () returned 0x1145a22 [0044.680] CryptEncrypt (in: hKey=0x4ff5a8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d8ef80*, pdwDataLen=0x2d8f030*=0x2c, dwBufLen=0x80 | out: pbData=0x2d8ef80*, pdwDataLen=0x2d8f030*=0x80) returned 1 [0044.680] GetProcessHeap () returned 0x4e0000 [0044.680] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x2800) returned 0x5064d8 [0044.680] ReadFile (in: hFile=0x208, lpBuffer=0x5064d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x5064d8*, lpNumberOfBytesRead=0x2d8f034*=0x2800, lpOverlapped=0x0) returned 1 [0044.682] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0044.682] WriteFile (in: hFile=0x208, lpBuffer=0x5064d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x5064d8*, lpNumberOfBytesWritten=0x2d8f034*=0x2800, lpOverlapped=0x0) returned 1 [0044.683] GetProcessHeap () returned 0x4e0000 [0044.683] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x5064d8 | out: hHeap=0x4e0000) returned 1 [0044.683] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0044.683] WriteFile (in: hFile=0x208, lpBuffer=0x4ffe10*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x4ffe10*, lpNumberOfBytesWritten=0x2d8f034*=0x300, lpOverlapped=0x0) returned 1 [0044.683] WriteFile (in: hFile=0x208, lpBuffer=0x2d8ef80*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x2d8ef80*, lpNumberOfBytesWritten=0x2d8f034*=0x80, lpOverlapped=0x0) returned 1 [0044.683] WriteFile (in: hFile=0x208, lpBuffer=0x186230*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x186230*, lpNumberOfBytesWritten=0x2d8f034*=0x4, lpOverlapped=0x0) returned 1 [0044.683] CloseHandle (hObject=0x208) returned 1 [0044.683] GetProcessHeap () returned 0x4e0000 [0044.683] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x400) returned 0x5306d0 [0044.683] wnsprintfW (in: pszDest=0x5306d0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\DocumentRepository.ico_forv_{KNUJ5K}.for") returned 76 [0044.683] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\DocumentRepository.ico" (normalized: "c:\\programdata\\microsoft\\office\\documentrepository.ico"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\DocumentRepository.ico_forv_{KNUJ5K}.for" (normalized: "c:\\programdata\\microsoft\\office\\documentrepository.ico_forv_{knuj5k}.for")) returned 1 [0044.684] GetProcessHeap () returned 0x4e0000 [0044.684] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x5306d0 | out: hHeap=0x4e0000) returned 1 [0044.684] FindNextFileW (in: hFindFile=0x535b20, lpFindFileData=0x2d8f070 | out: lpFindFileData=0x2d8f070*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x2bfbd800, ftCreationTime.dwHighDateTime=0x1c9facb, ftLastAccessTime.dwLowDateTime=0x6a3248d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x2bfbd800, ftLastWriteTime.dwHighDateTime=0x1c9facb, nFileSizeHigh=0x0, nFileSizeLow=0x5532e, dwReserved0=0x0, dwReserved1=0x0, cFileName="MySharePoints.ico", cAlternateFileName="MYSHAR~1.ICO")) returned 1 [0044.684] lstrcmpiW (lpString1="MySharePoints.ico", lpString2="Windows") returned -1 [0044.684] lstrcmpiW (lpString1="MySharePoints.ico", lpString2="$Recycle.bin") returned 1 [0044.684] lstrcmpiW (lpString1="MySharePoints.ico", lpString2="System Volume Information") returned -1 [0044.684] lstrcmpiW (lpString1="MySharePoints.ico", lpString2="Program Files") returned -1 [0044.684] lstrcmpiW (lpString1="MySharePoints.ico", lpString2="Program Files (x86)") returned -1 [0044.684] wnsprintfW (in: pszDest=0x542af8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\MySharePoints.ico") returned 53 [0044.684] StrStrIW (lpFirst="MySharePoints.ico", lpSrch=".for") returned 0x0 [0044.684] lstrcmpW (lpString1="MySharePoints.ico", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0044.684] lstrcmpW (lpString1="MySharePoints.ico", lpString2="taridd") returned -1 [0044.684] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\MySharePoints.ico", lpStr2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\3pRMMVYZl7L6YCH05Qf1aBB2Nvhrv3", nChar=122) returned -1 [0044.684] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\MySharePoints.ico" (normalized: "c:\\programdata\\microsoft\\office\\mysharepoints.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x208 [0044.685] GetTickCount () returned 0x1145a22 [0044.685] GetTickCount () returned 0x1145a22 [0044.685] GetTickCount () returned 0x1145a22 [0044.685] GetTickCount () returned 0x1145a22 [0044.685] CryptEncrypt (in: hKey=0x4ff5a8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d8ef80*, pdwDataLen=0x2d8f030*=0x2c, dwBufLen=0x80 | out: pbData=0x2d8ef80*, pdwDataLen=0x2d8f030*=0x80) returned 1 [0044.685] GetProcessHeap () returned 0x4e0000 [0044.685] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x2800) returned 0x5064d8 [0044.685] ReadFile (in: hFile=0x208, lpBuffer=0x5064d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x5064d8*, lpNumberOfBytesRead=0x2d8f034*=0x2800, lpOverlapped=0x0) returned 1 [0044.687] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0044.687] WriteFile (in: hFile=0x208, lpBuffer=0x5064d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x5064d8*, lpNumberOfBytesWritten=0x2d8f034*=0x2800, lpOverlapped=0x0) returned 1 [0044.687] GetProcessHeap () returned 0x4e0000 [0044.687] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x5064d8 | out: hHeap=0x4e0000) returned 1 [0044.687] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0044.687] WriteFile (in: hFile=0x208, lpBuffer=0x4ffe10*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x4ffe10*, lpNumberOfBytesWritten=0x2d8f034*=0x300, lpOverlapped=0x0) returned 1 [0044.690] WriteFile (in: hFile=0x208, lpBuffer=0x2d8ef80*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x2d8ef80*, lpNumberOfBytesWritten=0x2d8f034*=0x80, lpOverlapped=0x0) returned 1 [0044.690] WriteFile (in: hFile=0x208, lpBuffer=0x186230*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x186230*, lpNumberOfBytesWritten=0x2d8f034*=0x4, lpOverlapped=0x0) returned 1 [0044.690] CloseHandle (hObject=0x208) returned 1 [0044.690] GetProcessHeap () returned 0x4e0000 [0044.690] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x400) returned 0x5306d0 [0044.690] wnsprintfW (in: pszDest=0x5306d0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\MySharePoints.ico_forv_{KNUJ5K}.for") returned 71 [0044.690] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\MySharePoints.ico" (normalized: "c:\\programdata\\microsoft\\office\\mysharepoints.ico"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\MySharePoints.ico_forv_{KNUJ5K}.for" (normalized: "c:\\programdata\\microsoft\\office\\mysharepoints.ico_forv_{knuj5k}.for")) returned 1 [0044.692] GetProcessHeap () returned 0x4e0000 [0044.692] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x5306d0 | out: hHeap=0x4e0000) returned 1 [0044.692] FindNextFileW (in: hFindFile=0x535b20, lpFindFileData=0x2d8f070 | out: lpFindFileData=0x2d8f070*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xc92d1d00, ftCreationTime.dwHighDateTime=0x1c627a2, ftLastAccessTime.dwLowDateTime=0x594ac510, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xc92d1d00, ftLastWriteTime.dwHighDateTime=0x1c627a2, nFileSizeHigh=0x0, nFileSizeLow=0x627e, dwReserved0=0x0, dwReserved1=0x0, cFileName="MySite.ico", cAlternateFileName="")) returned 1 [0044.692] lstrcmpiW (lpString1="MySite.ico", lpString2="Windows") returned -1 [0044.692] lstrcmpiW (lpString1="MySite.ico", lpString2="$Recycle.bin") returned 1 [0044.692] lstrcmpiW (lpString1="MySite.ico", lpString2="System Volume Information") returned -1 [0044.692] lstrcmpiW (lpString1="MySite.ico", lpString2="Program Files") returned -1 [0044.693] lstrcmpiW (lpString1="MySite.ico", lpString2="Program Files (x86)") returned -1 [0044.693] wnsprintfW (in: pszDest=0x542af8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\MySite.ico") returned 46 [0044.693] StrStrIW (lpFirst="MySite.ico", lpSrch=".for") returned 0x0 [0044.693] lstrcmpW (lpString1="MySite.ico", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0044.693] lstrcmpW (lpString1="MySite.ico", lpString2="taridd") returned -1 [0044.693] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\MySite.ico", lpStr2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\3pRMMVYZl7L6YCH05Qf1aBB2Nvhrv3", nChar=122) returned -1 [0044.693] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\MySite.ico" (normalized: "c:\\programdata\\microsoft\\office\\mysite.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x208 [0044.694] GetTickCount () returned 0x1145a31 [0044.694] GetTickCount () returned 0x1145a31 [0044.694] GetTickCount () returned 0x1145a31 [0044.694] GetTickCount () returned 0x1145a31 [0044.694] CryptEncrypt (in: hKey=0x4ff5a8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d8ef80*, pdwDataLen=0x2d8f030*=0x2c, dwBufLen=0x80 | out: pbData=0x2d8ef80*, pdwDataLen=0x2d8f030*=0x80) returned 1 [0044.694] GetProcessHeap () returned 0x4e0000 [0044.694] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x2800) returned 0x5064d8 [0044.694] ReadFile (in: hFile=0x208, lpBuffer=0x5064d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x5064d8*, lpNumberOfBytesRead=0x2d8f034*=0x2800, lpOverlapped=0x0) returned 1 [0044.696] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0044.696] WriteFile (in: hFile=0x208, lpBuffer=0x5064d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x5064d8*, lpNumberOfBytesWritten=0x2d8f034*=0x2800, lpOverlapped=0x0) returned 1 [0044.696] GetProcessHeap () returned 0x4e0000 [0044.696] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x5064d8 | out: hHeap=0x4e0000) returned 1 [0044.697] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0044.697] WriteFile (in: hFile=0x208, lpBuffer=0x4ffe10*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x4ffe10*, lpNumberOfBytesWritten=0x2d8f034*=0x300, lpOverlapped=0x0) returned 1 [0044.697] WriteFile (in: hFile=0x208, lpBuffer=0x2d8ef80*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x2d8ef80*, lpNumberOfBytesWritten=0x2d8f034*=0x80, lpOverlapped=0x0) returned 1 [0044.697] WriteFile (in: hFile=0x208, lpBuffer=0x186230*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x186230*, lpNumberOfBytesWritten=0x2d8f034*=0x4, lpOverlapped=0x0) returned 1 [0044.697] CloseHandle (hObject=0x208) returned 1 [0044.697] GetProcessHeap () returned 0x4e0000 [0044.697] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x400) returned 0x5306d0 [0044.697] wnsprintfW (in: pszDest=0x5306d0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\MySite.ico_forv_{KNUJ5K}.for") returned 64 [0044.697] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\MySite.ico" (normalized: "c:\\programdata\\microsoft\\office\\mysite.ico"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\MySite.ico_forv_{KNUJ5K}.for" (normalized: "c:\\programdata\\microsoft\\office\\mysite.ico_forv_{knuj5k}.for")) returned 1 [0044.698] GetProcessHeap () returned 0x4e0000 [0044.698] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x5306d0 | out: hHeap=0x4e0000) returned 1 [0044.698] FindNextFileW (in: hFindFile=0x535b20, lpFindFileData=0x2d8f070 | out: lpFindFileData=0x2d8f070*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xf2444900, ftCreationTime.dwHighDateTime=0x1c63848, ftLastAccessTime.dwLowDateTime=0x5ab49610, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xf2444900, ftLastWriteTime.dwHighDateTime=0x1c63848, nFileSizeHigh=0x0, nFileSizeLow=0x627e, dwReserved0=0x0, dwReserved1=0x0, cFileName="SharePointPortalSite.ico", cAlternateFileName="SHAREP~1.ICO")) returned 1 [0044.698] lstrcmpiW (lpString1="SharePointPortalSite.ico", lpString2="Windows") returned -1 [0044.698] lstrcmpiW (lpString1="SharePointPortalSite.ico", lpString2="$Recycle.bin") returned 1 [0044.698] lstrcmpiW (lpString1="SharePointPortalSite.ico", lpString2="System Volume Information") returned -1 [0044.698] lstrcmpiW (lpString1="SharePointPortalSite.ico", lpString2="Program Files") returned 1 [0044.698] lstrcmpiW (lpString1="SharePointPortalSite.ico", lpString2="Program Files (x86)") returned 1 [0044.698] wnsprintfW (in: pszDest=0x542af8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\SharePointPortalSite.ico") returned 60 [0044.698] StrStrIW (lpFirst="SharePointPortalSite.ico", lpSrch=".for") returned 0x0 [0044.698] lstrcmpW (lpString1="SharePointPortalSite.ico", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0044.698] lstrcmpW (lpString1="SharePointPortalSite.ico", lpString2="taridd") returned -1 [0044.698] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\SharePointPortalSite.ico", lpStr2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\3pRMMVYZl7L6YCH05Qf1aBB2Nvhrv3", nChar=122) returned -1 [0044.698] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\SharePointPortalSite.ico" (normalized: "c:\\programdata\\microsoft\\office\\sharepointportalsite.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x208 [0044.766] GetTickCount () returned 0x1145a70 [0044.766] GetTickCount () returned 0x1145a70 [0044.766] GetTickCount () returned 0x1145a70 [0044.766] GetTickCount () returned 0x1145a70 [0044.766] CryptEncrypt (in: hKey=0x4ff5a8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d8ef80*, pdwDataLen=0x2d8f030*=0x2c, dwBufLen=0x80 | out: pbData=0x2d8ef80*, pdwDataLen=0x2d8f030*=0x80) returned 1 [0044.766] GetProcessHeap () returned 0x4e0000 [0044.766] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x2800) returned 0x5064d8 [0044.766] ReadFile (in: hFile=0x208, lpBuffer=0x5064d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x5064d8*, lpNumberOfBytesRead=0x2d8f034*=0x2800, lpOverlapped=0x0) returned 1 [0044.768] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0044.768] WriteFile (in: hFile=0x208, lpBuffer=0x5064d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x5064d8*, lpNumberOfBytesWritten=0x2d8f034*=0x2800, lpOverlapped=0x0) returned 1 [0044.768] GetProcessHeap () returned 0x4e0000 [0044.768] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x5064d8 | out: hHeap=0x4e0000) returned 1 [0044.768] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0044.769] WriteFile (in: hFile=0x208, lpBuffer=0x4ffe10*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x4ffe10*, lpNumberOfBytesWritten=0x2d8f034*=0x300, lpOverlapped=0x0) returned 1 [0044.769] WriteFile (in: hFile=0x208, lpBuffer=0x2d8ef80*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x2d8ef80*, lpNumberOfBytesWritten=0x2d8f034*=0x80, lpOverlapped=0x0) returned 1 [0044.769] WriteFile (in: hFile=0x208, lpBuffer=0x186230*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x186230*, lpNumberOfBytesWritten=0x2d8f034*=0x4, lpOverlapped=0x0) returned 1 [0044.769] CloseHandle (hObject=0x208) returned 1 [0044.769] GetProcessHeap () returned 0x4e0000 [0044.769] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x400) returned 0x5306d0 [0044.769] wnsprintfW (in: pszDest=0x5306d0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\SharePointPortalSite.ico_forv_{KNUJ5K}.for") returned 78 [0044.769] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\SharePointPortalSite.ico" (normalized: "c:\\programdata\\microsoft\\office\\sharepointportalsite.ico"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\SharePointPortalSite.ico_forv_{KNUJ5K}.for" (normalized: "c:\\programdata\\microsoft\\office\\sharepointportalsite.ico_forv_{knuj5k}.for")) returned 1 [0044.769] GetProcessHeap () returned 0x4e0000 [0044.769] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x5306d0 | out: hHeap=0x4e0000) returned 1 [0044.769] FindNextFileW (in: hFindFile=0x535b20, lpFindFileData=0x2d8f070 | out: lpFindFileData=0x2d8f070*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xad743900, ftCreationTime.dwHighDateTime=0x1c62706, ftLastAccessTime.dwLowDateTime=0x6d3a4910, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xad743900, ftLastWriteTime.dwHighDateTime=0x1c62706, nFileSizeHigh=0x0, nFileSizeLow=0x627e, dwReserved0=0x0, dwReserved1=0x0, cFileName="SharePointTeamSite.ico", cAlternateFileName="SHAREP~2.ICO")) returned 1 [0044.770] lstrcmpiW (lpString1="SharePointTeamSite.ico", lpString2="Windows") returned -1 [0044.770] lstrcmpiW (lpString1="SharePointTeamSite.ico", lpString2="$Recycle.bin") returned 1 [0044.770] lstrcmpiW (lpString1="SharePointTeamSite.ico", lpString2="System Volume Information") returned -1 [0044.770] lstrcmpiW (lpString1="SharePointTeamSite.ico", lpString2="Program Files") returned 1 [0044.770] lstrcmpiW (lpString1="SharePointTeamSite.ico", lpString2="Program Files (x86)") returned 1 [0044.770] wnsprintfW (in: pszDest=0x542af8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\SharePointTeamSite.ico") returned 58 [0044.770] StrStrIW (lpFirst="SharePointTeamSite.ico", lpSrch=".for") returned 0x0 [0044.770] lstrcmpW (lpString1="SharePointTeamSite.ico", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0044.770] lstrcmpW (lpString1="SharePointTeamSite.ico", lpString2="taridd") returned -1 [0044.770] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\SharePointTeamSite.ico", lpStr2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\3pRMMVYZl7L6YCH05Qf1aBB2Nvhrv3", nChar=122) returned -1 [0044.770] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\SharePointTeamSite.ico" (normalized: "c:\\programdata\\microsoft\\office\\sharepointteamsite.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x208 [0044.771] GetTickCount () returned 0x1145a70 [0044.771] GetTickCount () returned 0x1145a70 [0044.771] GetTickCount () returned 0x1145a70 [0044.771] GetTickCount () returned 0x1145a70 [0044.771] CryptEncrypt (in: hKey=0x4ff5a8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d8ef80*, pdwDataLen=0x2d8f030*=0x2c, dwBufLen=0x80 | out: pbData=0x2d8ef80*, pdwDataLen=0x2d8f030*=0x80) returned 1 [0044.771] GetProcessHeap () returned 0x4e0000 [0044.771] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x2800) returned 0x5064d8 [0044.771] ReadFile (in: hFile=0x208, lpBuffer=0x5064d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x5064d8*, lpNumberOfBytesRead=0x2d8f034*=0x2800, lpOverlapped=0x0) returned 1 [0044.772] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0044.772] WriteFile (in: hFile=0x208, lpBuffer=0x5064d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x5064d8*, lpNumberOfBytesWritten=0x2d8f034*=0x2800, lpOverlapped=0x0) returned 1 [0044.773] GetProcessHeap () returned 0x4e0000 [0044.773] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x5064d8 | out: hHeap=0x4e0000) returned 1 [0044.773] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0044.773] WriteFile (in: hFile=0x208, lpBuffer=0x4ffe10*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x4ffe10*, lpNumberOfBytesWritten=0x2d8f034*=0x300, lpOverlapped=0x0) returned 1 [0044.773] WriteFile (in: hFile=0x208, lpBuffer=0x2d8ef80*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x2d8ef80*, lpNumberOfBytesWritten=0x2d8f034*=0x80, lpOverlapped=0x0) returned 1 [0044.773] WriteFile (in: hFile=0x208, lpBuffer=0x186230*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x186230*, lpNumberOfBytesWritten=0x2d8f034*=0x4, lpOverlapped=0x0) returned 1 [0044.773] CloseHandle (hObject=0x208) returned 1 [0044.773] GetProcessHeap () returned 0x4e0000 [0044.774] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x400) returned 0x5306d0 [0044.774] wnsprintfW (in: pszDest=0x5306d0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\SharePointTeamSite.ico_forv_{KNUJ5K}.for") returned 76 [0044.774] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\SharePointTeamSite.ico" (normalized: "c:\\programdata\\microsoft\\office\\sharepointteamsite.ico"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\SharePointTeamSite.ico_forv_{KNUJ5K}.for" (normalized: "c:\\programdata\\microsoft\\office\\sharepointteamsite.ico_forv_{knuj5k}.for")) returned 1 [0044.774] GetProcessHeap () returned 0x4e0000 [0044.774] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x5306d0 | out: hHeap=0x4e0000) returned 1 [0044.774] FindNextFileW (in: hFindFile=0x535b20, lpFindFileData=0x2d8f070 | out: lpFindFileData=0x2d8f070*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xeed38550, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xeed38550, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xeed38550, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="UICaptions", cAlternateFileName="UICAPT~1")) returned 1 [0044.774] lstrcmpiW (lpString1="UICaptions", lpString2="Windows") returned -1 [0044.774] lstrcmpiW (lpString1="UICaptions", lpString2="$Recycle.bin") returned 1 [0044.774] lstrcmpiW (lpString1="UICaptions", lpString2="System Volume Information") returned 1 [0044.774] lstrcmpiW (lpString1="UICaptions", lpString2="Program Files") returned 1 [0044.774] lstrcmpiW (lpString1="UICaptions", lpString2="Program Files (x86)") returned 1 [0044.774] wnsprintfW (in: pszDest=0x542af8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions") returned 46 [0044.774] lstrcmpW (lpString1="UICaptions", lpString2=".") returned 1 [0044.774] lstrcmpW (lpString1="UICaptions", lpString2="..") returned 1 [0044.774] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0044.774] GetProcessHeap () returned 0x4e0000 [0044.774] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x400) returned 0x5306d0 [0044.774] wnsprintfW (in: pszDest=0x5306d0, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\*") returned 48 [0044.774] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\*", lpFindFileData=0x2d8ede8 | out: lpFindFileData=0x2d8ede8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xeed38550, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xeed38550, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xeed38550, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5306c8, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x535b60 [0044.775] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0044.775] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0044.775] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0044.775] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0044.775] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0044.775] wnsprintfW (in: pszDest=0x5306d0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\.") returned 48 [0044.775] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0044.775] FindNextFileW (in: hFindFile=0x535b60, lpFindFileData=0x2d8ede8 | out: lpFindFileData=0x2d8ede8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xeed38550, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xeed38550, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xeed38550, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5306c8, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0044.775] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0044.775] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0044.775] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0044.775] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0044.775] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0044.775] wnsprintfW (in: pszDest=0x5306d0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\..") returned 49 [0044.775] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0044.776] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0044.776] FindNextFileW (in: hFindFile=0x535b60, lpFindFileData=0x2d8ede8 | out: lpFindFileData=0x2d8ede8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xeed38550, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xef116910, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xef116910, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5306c8, dwReserved1=0x0, cFileName="1036", cAlternateFileName="")) returned 1 [0044.776] lstrcmpiW (lpString1="1036", lpString2="Windows") returned -1 [0044.776] lstrcmpiW (lpString1="1036", lpString2="$Recycle.bin") returned 1 [0044.776] lstrcmpiW (lpString1="1036", lpString2="System Volume Information") returned -1 [0044.776] lstrcmpiW (lpString1="1036", lpString2="Program Files") returned -1 [0044.776] lstrcmpiW (lpString1="1036", lpString2="Program Files (x86)") returned -1 [0044.776] wnsprintfW (in: pszDest=0x5306d0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036") returned 51 [0044.776] lstrcmpW (lpString1="1036", lpString2=".") returned 1 [0044.776] lstrcmpW (lpString1="1036", lpString2="..") returned 1 [0044.776] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0044.776] GetProcessHeap () returned 0x4e0000 [0044.776] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x400) returned 0x543228 [0044.776] wnsprintfW (in: pszDest=0x543228, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\*") returned 53 [0044.776] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\*", lpFindFileData=0x2d8eb60 | out: lpFindFileData=0x2d8eb60*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xeed38550, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xef116910, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xef116910, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x2d8eba8, dwReserved1=0x771791c9, cFileName=".", cAlternateFileName="")) returned 0x535ba0 [0044.778] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0044.778] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0044.778] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0044.778] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0044.778] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0044.778] wnsprintfW (in: pszDest=0x543228, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\.") returned 53 [0044.778] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0044.778] FindNextFileW (in: hFindFile=0x535ba0, lpFindFileData=0x2d8eb60 | out: lpFindFileData=0x2d8eb60*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xeed38550, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xef116910, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xef116910, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x2d8eba8, dwReserved1=0x771791c9, cFileName="..", cAlternateFileName="")) returned 1 [0044.779] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0044.779] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0044.779] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0044.779] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0044.779] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0044.779] wnsprintfW (in: pszDest=0x543228, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\..") returned 54 [0044.779] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0044.779] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0044.779] FindNextFileW (in: hFindFile=0x535ba0, lpFindFileData=0x2d8eb60 | out: lpFindFileData=0x2d8eb60*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x1be9a700, ftCreationTime.dwHighDateTime=0x1caca12, ftLastAccessTime.dwLowDateTime=0xeed38550, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0x1be9a700, ftLastWriteTime.dwHighDateTime=0x1caca12, nFileSizeHigh=0x0, nFileSizeLow=0x3960, dwReserved0=0x2d8eba8, dwReserved1=0x771791c9, cFileName="ENVELOPR.DLL.trx_dll", cAlternateFileName="ENVELO~1.TRX")) returned 1 [0044.779] lstrcmpiW (lpString1="ENVELOPR.DLL.trx_dll", lpString2="Windows") returned -1 [0044.779] lstrcmpiW (lpString1="ENVELOPR.DLL.trx_dll", lpString2="$Recycle.bin") returned 1 [0044.779] lstrcmpiW (lpString1="ENVELOPR.DLL.trx_dll", lpString2="System Volume Information") returned -1 [0044.779] lstrcmpiW (lpString1="ENVELOPR.DLL.trx_dll", lpString2="Program Files") returned -1 [0044.779] lstrcmpiW (lpString1="ENVELOPR.DLL.trx_dll", lpString2="Program Files (x86)") returned -1 [0044.779] wnsprintfW (in: pszDest=0x543228, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\ENVELOPR.DLL.trx_dll") returned 72 [0044.779] StrStrIW (lpFirst="ENVELOPR.DLL.trx_dll", lpSrch=".for") returned 0x0 [0044.779] lstrcmpW (lpString1="ENVELOPR.DLL.trx_dll", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0044.779] lstrcmpW (lpString1="ENVELOPR.DLL.trx_dll", lpString2="taridd") returned -1 [0044.780] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\ENVELOPR.DLL.trx_dll", lpStr2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\3pRMMVYZl7L6YCH05Qf1aBB2Nvhrv3", nChar=122) returned -1 [0044.780] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\ENVELOPR.DLL.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\1036\\envelopr.dll.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x210 [0044.780] GetTickCount () returned 0x1145a7f [0044.780] GetTickCount () returned 0x1145a7f [0044.780] GetTickCount () returned 0x1145a7f [0044.780] GetTickCount () returned 0x1145a7f [0044.780] CryptEncrypt (in: hKey=0x4ff5a8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d8ea70*, pdwDataLen=0x2d8eb20*=0x2c, dwBufLen=0x80 | out: pbData=0x2d8ea70*, pdwDataLen=0x2d8eb20*=0x80) returned 1 [0044.780] GetProcessHeap () returned 0x4e0000 [0044.780] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x2800) returned 0x5064d8 [0044.780] ReadFile (in: hFile=0x210, lpBuffer=0x5064d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2d8eb24, lpOverlapped=0x0 | out: lpBuffer=0x5064d8*, lpNumberOfBytesRead=0x2d8eb24*=0x2800, lpOverlapped=0x0) returned 1 [0044.782] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0044.782] WriteFile (in: hFile=0x210, lpBuffer=0x5064d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2d8eb24, lpOverlapped=0x0 | out: lpBuffer=0x5064d8*, lpNumberOfBytesWritten=0x2d8eb24*=0x2800, lpOverlapped=0x0) returned 1 [0044.783] GetProcessHeap () returned 0x4e0000 [0044.783] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x5064d8 | out: hHeap=0x4e0000) returned 1 [0044.783] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0044.783] WriteFile (in: hFile=0x210, lpBuffer=0x4ffe10*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x2d8eb24, lpOverlapped=0x0 | out: lpBuffer=0x4ffe10*, lpNumberOfBytesWritten=0x2d8eb24*=0x300, lpOverlapped=0x0) returned 1 [0044.783] WriteFile (in: hFile=0x210, lpBuffer=0x2d8ea70*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x2d8eb24, lpOverlapped=0x0 | out: lpBuffer=0x2d8ea70*, lpNumberOfBytesWritten=0x2d8eb24*=0x80, lpOverlapped=0x0) returned 1 [0044.783] WriteFile (in: hFile=0x210, lpBuffer=0x186230*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2d8eb24, lpOverlapped=0x0 | out: lpBuffer=0x186230*, lpNumberOfBytesWritten=0x2d8eb24*=0x4, lpOverlapped=0x0) returned 1 [0044.783] CloseHandle (hObject=0x210) returned 1 [0044.783] GetProcessHeap () returned 0x4e0000 [0044.784] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x400) returned 0x543630 [0044.784] wnsprintfW (in: pszDest=0x543630, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\ENVELOPR.DLL.trx_dll_forv_{KNUJ5K}.for") returned 90 [0044.784] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\ENVELOPR.DLL.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\1036\\envelopr.dll.trx_dll"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\ENVELOPR.DLL.trx_dll_forv_{KNUJ5K}.for" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\1036\\envelopr.dll.trx_dll_forv_{knuj5k}.for")) returned 1 [0044.784] GetProcessHeap () returned 0x4e0000 [0044.784] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x543630 | out: hHeap=0x4e0000) returned 1 [0044.784] FindNextFileW (in: hFindFile=0x535ba0, lpFindFileData=0x2d8eb60 | out: lpFindFileData=0x2d8eb60*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xbd48e100, ftCreationTime.dwHighDateTime=0x1cac7f7, ftLastAccessTime.dwLowDateTime=0xeedf6c30, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xbd48e100, ftLastWriteTime.dwHighDateTime=0x1cac7f7, nFileSizeHigh=0x0, nFileSizeLow=0xbf60, dwReserved0=0x2d8eba8, dwReserved1=0x771791c9, cFileName="GRINTL32.DLL.trx_dll", cAlternateFileName="GRINTL~1.TRX")) returned 1 [0044.784] lstrcmpiW (lpString1="GRINTL32.DLL.trx_dll", lpString2="Windows") returned -1 [0044.784] lstrcmpiW (lpString1="GRINTL32.DLL.trx_dll", lpString2="$Recycle.bin") returned 1 [0044.784] lstrcmpiW (lpString1="GRINTL32.DLL.trx_dll", lpString2="System Volume Information") returned -1 [0044.784] lstrcmpiW (lpString1="GRINTL32.DLL.trx_dll", lpString2="Program Files") returned -1 [0044.784] lstrcmpiW (lpString1="GRINTL32.DLL.trx_dll", lpString2="Program Files (x86)") returned -1 [0044.784] wnsprintfW (in: pszDest=0x543228, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\GRINTL32.DLL.trx_dll") returned 72 [0044.784] StrStrIW (lpFirst="GRINTL32.DLL.trx_dll", lpSrch=".for") returned 0x0 [0044.784] lstrcmpW (lpString1="GRINTL32.DLL.trx_dll", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0044.784] lstrcmpW (lpString1="GRINTL32.DLL.trx_dll", lpString2="taridd") returned -1 [0044.784] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\GRINTL32.DLL.trx_dll", lpStr2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\3pRMMVYZl7L6YCH05Qf1aBB2Nvhrv3", nChar=122) returned -1 [0044.784] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\GRINTL32.DLL.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\1036\\grintl32.dll.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x210 [0044.786] GetTickCount () returned 0x1145a7f [0044.786] GetTickCount () returned 0x1145a7f [0044.786] GetTickCount () returned 0x1145a7f [0044.786] GetTickCount () returned 0x1145a7f [0044.786] CryptEncrypt (in: hKey=0x4ff5a8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d8ea70*, pdwDataLen=0x2d8eb20*=0x2c, dwBufLen=0x80 | out: pbData=0x2d8ea70*, pdwDataLen=0x2d8eb20*=0x80) returned 1 [0044.786] GetProcessHeap () returned 0x4e0000 [0044.786] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x2800) returned 0x5064d8 [0044.786] ReadFile (in: hFile=0x210, lpBuffer=0x5064d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2d8eb24, lpOverlapped=0x0 | out: lpBuffer=0x5064d8*, lpNumberOfBytesRead=0x2d8eb24*=0x2800, lpOverlapped=0x0) returned 1 [0044.800] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0044.800] WriteFile (in: hFile=0x210, lpBuffer=0x5064d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2d8eb24, lpOverlapped=0x0 | out: lpBuffer=0x5064d8*, lpNumberOfBytesWritten=0x2d8eb24*=0x2800, lpOverlapped=0x0) returned 1 [0044.800] GetProcessHeap () returned 0x4e0000 [0044.800] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x5064d8 | out: hHeap=0x4e0000) returned 1 [0044.800] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0044.800] WriteFile (in: hFile=0x210, lpBuffer=0x4ffe10*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x2d8eb24, lpOverlapped=0x0 | out: lpBuffer=0x4ffe10*, lpNumberOfBytesWritten=0x2d8eb24*=0x300, lpOverlapped=0x0) returned 1 [0044.801] WriteFile (in: hFile=0x210, lpBuffer=0x2d8ea70*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x2d8eb24, lpOverlapped=0x0 | out: lpBuffer=0x2d8ea70*, lpNumberOfBytesWritten=0x2d8eb24*=0x80, lpOverlapped=0x0) returned 1 [0044.801] WriteFile (in: hFile=0x210, lpBuffer=0x186230*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2d8eb24, lpOverlapped=0x0 | out: lpBuffer=0x186230*, lpNumberOfBytesWritten=0x2d8eb24*=0x4, lpOverlapped=0x0) returned 1 [0044.801] CloseHandle (hObject=0x210) returned 1 [0044.801] GetProcessHeap () returned 0x4e0000 [0044.801] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x400) returned 0x543630 [0044.801] wnsprintfW (in: pszDest=0x543630, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\GRINTL32.DLL.trx_dll_forv_{KNUJ5K}.for") returned 90 [0044.801] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\GRINTL32.DLL.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\1036\\grintl32.dll.trx_dll"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\GRINTL32.DLL.trx_dll_forv_{KNUJ5K}.for" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\1036\\grintl32.dll.trx_dll_forv_{knuj5k}.for")) returned 1 [0044.801] GetProcessHeap () returned 0x4e0000 [0044.801] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x543630 | out: hHeap=0x4e0000) returned 1 [0044.801] FindNextFileW (in: hFindFile=0x535ba0, lpFindFileData=0x2d8eb60 | out: lpFindFileData=0x2d8eb60*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xbd48e100, ftCreationTime.dwHighDateTime=0x1cac7f7, ftLastAccessTime.dwLowDateTime=0xeedf6c30, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xbd48e100, ftLastWriteTime.dwHighDateTime=0x1cac7f7, nFileSizeHigh=0x0, nFileSizeLow=0x3d960, dwReserved0=0x2d8eba8, dwReserved1=0x771791c9, cFileName="GRINTL32.REST.trx_dll", cAlternateFileName="GRINTL~2.TRX")) returned 1 [0044.801] lstrcmpiW (lpString1="GRINTL32.REST.trx_dll", lpString2="Windows") returned -1 [0044.801] lstrcmpiW (lpString1="GRINTL32.REST.trx_dll", lpString2="$Recycle.bin") returned 1 [0044.801] lstrcmpiW (lpString1="GRINTL32.REST.trx_dll", lpString2="System Volume Information") returned -1 [0044.802] lstrcmpiW (lpString1="GRINTL32.REST.trx_dll", lpString2="Program Files") returned -1 [0044.802] lstrcmpiW (lpString1="GRINTL32.REST.trx_dll", lpString2="Program Files (x86)") returned -1 [0044.802] wnsprintfW (in: pszDest=0x543228, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\GRINTL32.REST.trx_dll") returned 73 [0044.802] StrStrIW (lpFirst="GRINTL32.REST.trx_dll", lpSrch=".for") returned 0x0 [0044.802] lstrcmpW (lpString1="GRINTL32.REST.trx_dll", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0044.802] lstrcmpW (lpString1="GRINTL32.REST.trx_dll", lpString2="taridd") returned -1 [0044.802] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\GRINTL32.REST.trx_dll", lpStr2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\3pRMMVYZl7L6YCH05Qf1aBB2Nvhrv3", nChar=122) returned -1 [0044.802] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\GRINTL32.REST.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\1036\\grintl32.rest.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x210 [0044.802] GetTickCount () returned 0x1145a8f [0044.802] GetTickCount () returned 0x1145a8f [0044.802] GetTickCount () returned 0x1145a8f [0044.802] GetTickCount () returned 0x1145a8f [0044.803] CryptEncrypt (in: hKey=0x4ff5a8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d8ea70*, pdwDataLen=0x2d8eb20*=0x2c, dwBufLen=0x80 | out: pbData=0x2d8ea70*, pdwDataLen=0x2d8eb20*=0x80) returned 1 [0044.803] GetProcessHeap () returned 0x4e0000 [0044.803] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x2800) returned 0x5064d8 [0044.803] ReadFile (in: hFile=0x210, lpBuffer=0x5064d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2d8eb24, lpOverlapped=0x0 | out: lpBuffer=0x5064d8*, lpNumberOfBytesRead=0x2d8eb24*=0x2800, lpOverlapped=0x0) returned 1 [0044.805] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0044.805] WriteFile (in: hFile=0x210, lpBuffer=0x5064d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2d8eb24, lpOverlapped=0x0 | out: lpBuffer=0x5064d8*, lpNumberOfBytesWritten=0x2d8eb24*=0x2800, lpOverlapped=0x0) returned 1 [0044.806] GetProcessHeap () returned 0x4e0000 [0044.806] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x5064d8 | out: hHeap=0x4e0000) returned 1 [0044.806] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0044.806] WriteFile (in: hFile=0x210, lpBuffer=0x4ffe10*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x2d8eb24, lpOverlapped=0x0 | out: lpBuffer=0x4ffe10*, lpNumberOfBytesWritten=0x2d8eb24*=0x300, lpOverlapped=0x0) returned 1 [0044.808] WriteFile (in: hFile=0x210, lpBuffer=0x2d8ea70*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x2d8eb24, lpOverlapped=0x0 | out: lpBuffer=0x2d8ea70*, lpNumberOfBytesWritten=0x2d8eb24*=0x80, lpOverlapped=0x0) returned 1 [0044.808] WriteFile (in: hFile=0x210, lpBuffer=0x186230*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2d8eb24, lpOverlapped=0x0 | out: lpBuffer=0x186230*, lpNumberOfBytesWritten=0x2d8eb24*=0x4, lpOverlapped=0x0) returned 1 [0044.808] CloseHandle (hObject=0x210) returned 1 [0044.808] GetProcessHeap () returned 0x4e0000 [0044.808] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x400) returned 0x543630 [0044.808] wnsprintfW (in: pszDest=0x543630, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\GRINTL32.REST.trx_dll_forv_{KNUJ5K}.for") returned 91 [0044.808] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\GRINTL32.REST.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\1036\\grintl32.rest.trx_dll"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\GRINTL32.REST.trx_dll_forv_{KNUJ5K}.for" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\1036\\grintl32.rest.trx_dll_forv_{knuj5k}.for")) returned 1 [0044.808] GetProcessHeap () returned 0x4e0000 [0044.808] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x543630 | out: hHeap=0x4e0000) returned 1 [0044.809] FindNextFileW (in: hFindFile=0x535ba0, lpFindFileData=0x2d8eb60 | out: lpFindFileData=0x2d8eb60*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x1be9a700, ftCreationTime.dwHighDateTime=0x1caca12, ftLastAccessTime.dwLowDateTime=0xeee1cd90, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0x1be9a700, ftLastWriteTime.dwHighDateTime=0x1caca12, nFileSizeHigh=0x0, nFileSizeLow=0x49f60, dwReserved0=0x2d8eba8, dwReserved1=0x771791c9, cFileName="MAPIR.DLL.trx_dll", cAlternateFileName="MAPIRD~1.TRX")) returned 1 [0044.809] lstrcmpiW (lpString1="MAPIR.DLL.trx_dll", lpString2="Windows") returned -1 [0044.809] lstrcmpiW (lpString1="MAPIR.DLL.trx_dll", lpString2="$Recycle.bin") returned 1 [0044.809] lstrcmpiW (lpString1="MAPIR.DLL.trx_dll", lpString2="System Volume Information") returned -1 [0044.809] lstrcmpiW (lpString1="MAPIR.DLL.trx_dll", lpString2="Program Files") returned -1 [0044.809] lstrcmpiW (lpString1="MAPIR.DLL.trx_dll", lpString2="Program Files (x86)") returned -1 [0044.809] wnsprintfW (in: pszDest=0x543228, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\MAPIR.DLL.trx_dll") returned 69 [0044.809] StrStrIW (lpFirst="MAPIR.DLL.trx_dll", lpSrch=".for") returned 0x0 [0044.809] lstrcmpW (lpString1="MAPIR.DLL.trx_dll", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0044.809] lstrcmpW (lpString1="MAPIR.DLL.trx_dll", lpString2="taridd") returned -1 [0044.809] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\MAPIR.DLL.trx_dll", lpStr2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\3pRMMVYZl7L6YCH05Qf1aBB2Nvhrv3", nChar=122) returned -1 [0044.809] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\MAPIR.DLL.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\1036\\mapir.dll.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x210 [0044.810] GetTickCount () returned 0x1145a9f [0044.810] GetTickCount () returned 0x1145a9f [0044.810] GetTickCount () returned 0x1145a9f [0044.810] GetTickCount () returned 0x1145a9f [0044.810] CryptEncrypt (in: hKey=0x4ff5a8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d8ea70*, pdwDataLen=0x2d8eb20*=0x2c, dwBufLen=0x80 | out: pbData=0x2d8ea70*, pdwDataLen=0x2d8eb20*=0x80) returned 1 [0044.810] GetProcessHeap () returned 0x4e0000 [0044.810] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x2800) returned 0x5064d8 [0044.810] ReadFile (in: hFile=0x210, lpBuffer=0x5064d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2d8eb24, lpOverlapped=0x0 | out: lpBuffer=0x5064d8*, lpNumberOfBytesRead=0x2d8eb24*=0x2800, lpOverlapped=0x0) returned 1 [0044.811] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0044.812] WriteFile (in: hFile=0x210, lpBuffer=0x5064d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2d8eb24, lpOverlapped=0x0 | out: lpBuffer=0x5064d8*, lpNumberOfBytesWritten=0x2d8eb24*=0x2800, lpOverlapped=0x0) returned 1 [0044.812] GetProcessHeap () returned 0x4e0000 [0044.812] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x5064d8 | out: hHeap=0x4e0000) returned 1 [0044.812] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0044.812] WriteFile (in: hFile=0x210, lpBuffer=0x4ffe10*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x2d8eb24, lpOverlapped=0x0 | out: lpBuffer=0x4ffe10*, lpNumberOfBytesWritten=0x2d8eb24*=0x300, lpOverlapped=0x0) returned 1 [0044.814] WriteFile (in: hFile=0x210, lpBuffer=0x2d8ea70*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x2d8eb24, lpOverlapped=0x0 | out: lpBuffer=0x2d8ea70*, lpNumberOfBytesWritten=0x2d8eb24*=0x80, lpOverlapped=0x0) returned 1 [0044.814] WriteFile (in: hFile=0x210, lpBuffer=0x186230*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2d8eb24, lpOverlapped=0x0 | out: lpBuffer=0x186230*, lpNumberOfBytesWritten=0x2d8eb24*=0x4, lpOverlapped=0x0) returned 1 [0044.814] CloseHandle (hObject=0x210) returned 1 [0044.814] GetProcessHeap () returned 0x4e0000 [0044.814] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x400) returned 0x543630 [0044.814] wnsprintfW (in: pszDest=0x543630, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\MAPIR.DLL.trx_dll_forv_{KNUJ5K}.for") returned 87 [0044.814] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\MAPIR.DLL.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\1036\\mapir.dll.trx_dll"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\MAPIR.DLL.trx_dll_forv_{KNUJ5K}.for" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\1036\\mapir.dll.trx_dll_forv_{knuj5k}.for")) returned 1 [0044.815] GetProcessHeap () returned 0x4e0000 [0044.815] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x543630 | out: hHeap=0x4e0000) returned 1 [0044.815] FindNextFileW (in: hFindFile=0x535ba0, lpFindFileData=0x2d8eb60 | out: lpFindFileData=0x2d8eb60*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xa27f6800, ftCreationTime.dwHighDateTime=0x1cac809, ftLastAccessTime.dwLowDateTime=0xeee1cd90, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xa27f6800, ftLastWriteTime.dwHighDateTime=0x1cac809, nFileSizeHigh=0x0, nFileSizeLow=0xc160, dwReserved0=0x2d8eba8, dwReserved1=0x771791c9, cFileName="MOR6INT.REST.trx_dll", cAlternateFileName="MOR6IN~1.TRX")) returned 1 [0044.815] lstrcmpiW (lpString1="MOR6INT.REST.trx_dll", lpString2="Windows") returned -1 [0044.815] lstrcmpiW (lpString1="MOR6INT.REST.trx_dll", lpString2="$Recycle.bin") returned 1 [0044.815] lstrcmpiW (lpString1="MOR6INT.REST.trx_dll", lpString2="System Volume Information") returned -1 [0044.815] lstrcmpiW (lpString1="MOR6INT.REST.trx_dll", lpString2="Program Files") returned -1 [0044.815] lstrcmpiW (lpString1="MOR6INT.REST.trx_dll", lpString2="Program Files (x86)") returned -1 [0044.815] wnsprintfW (in: pszDest=0x543228, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\MOR6INT.REST.trx_dll") returned 72 [0044.815] StrStrIW (lpFirst="MOR6INT.REST.trx_dll", lpSrch=".for") returned 0x0 [0044.815] lstrcmpW (lpString1="MOR6INT.REST.trx_dll", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0044.815] lstrcmpW (lpString1="MOR6INT.REST.trx_dll", lpString2="taridd") returned -1 [0044.815] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\MOR6INT.REST.trx_dll", lpStr2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\3pRMMVYZl7L6YCH05Qf1aBB2Nvhrv3", nChar=122) returned -1 [0044.815] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\MOR6INT.REST.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\1036\\mor6int.rest.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x210 [0044.816] GetTickCount () returned 0x1145a9f [0044.816] GetTickCount () returned 0x1145a9f [0044.816] GetTickCount () returned 0x1145a9f [0044.816] GetTickCount () returned 0x1145a9f [0044.816] CryptEncrypt (in: hKey=0x4ff5a8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d8ea70*, pdwDataLen=0x2d8eb20*=0x2c, dwBufLen=0x80 | out: pbData=0x2d8ea70*, pdwDataLen=0x2d8eb20*=0x80) returned 1 [0044.816] GetProcessHeap () returned 0x4e0000 [0044.816] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x2800) returned 0x5064d8 [0044.816] ReadFile (in: hFile=0x210, lpBuffer=0x5064d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2d8eb24, lpOverlapped=0x0 | out: lpBuffer=0x5064d8*, lpNumberOfBytesRead=0x2d8eb24*=0x2800, lpOverlapped=0x0) returned 1 [0044.818] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0044.818] WriteFile (in: hFile=0x210, lpBuffer=0x5064d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2d8eb24, lpOverlapped=0x0 | out: lpBuffer=0x5064d8*, lpNumberOfBytesWritten=0x2d8eb24*=0x2800, lpOverlapped=0x0) returned 1 [0044.819] GetProcessHeap () returned 0x4e0000 [0044.819] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x5064d8 | out: hHeap=0x4e0000) returned 1 [0044.819] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0044.819] WriteFile (in: hFile=0x210, lpBuffer=0x4ffe10*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x2d8eb24, lpOverlapped=0x0 | out: lpBuffer=0x4ffe10*, lpNumberOfBytesWritten=0x2d8eb24*=0x300, lpOverlapped=0x0) returned 1 [0044.819] WriteFile (in: hFile=0x210, lpBuffer=0x2d8ea70*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x2d8eb24, lpOverlapped=0x0 | out: lpBuffer=0x2d8ea70*, lpNumberOfBytesWritten=0x2d8eb24*=0x80, lpOverlapped=0x0) returned 1 [0044.819] WriteFile (in: hFile=0x210, lpBuffer=0x186230*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2d8eb24, lpOverlapped=0x0 | out: lpBuffer=0x186230*, lpNumberOfBytesWritten=0x2d8eb24*=0x4, lpOverlapped=0x0) returned 1 [0044.819] CloseHandle (hObject=0x210) returned 1 [0044.820] GetProcessHeap () returned 0x4e0000 [0044.820] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x400) returned 0x543630 [0044.820] wnsprintfW (in: pszDest=0x543630, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\MOR6INT.REST.trx_dll_forv_{KNUJ5K}.for") returned 90 [0044.820] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\MOR6INT.REST.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\1036\\mor6int.rest.trx_dll"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\MOR6INT.REST.trx_dll_forv_{KNUJ5K}.for" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\1036\\mor6int.rest.trx_dll_forv_{knuj5k}.for")) returned 1 [0044.820] GetProcessHeap () returned 0x4e0000 [0044.820] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x543630 | out: hHeap=0x4e0000) returned 1 [0044.820] FindNextFileW (in: hFindFile=0x535ba0, lpFindFileData=0x2d8eb60 | out: lpFindFileData=0x2d8eb60*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x9f53ca00, ftCreationTime.dwHighDateTime=0x1caca0b, ftLastAccessTime.dwLowDateTime=0xeee42ef0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0x9f53ca00, ftLastWriteTime.dwHighDateTime=0x1caca0b, nFileSizeHigh=0x0, nFileSizeLow=0x17960, dwReserved0=0x2d8eba8, dwReserved1=0x771791c9, cFileName="MSOINTL.DLL.trx_dll", cAlternateFileName="MSOINT~1.TRX")) returned 1 [0044.820] lstrcmpiW (lpString1="MSOINTL.DLL.trx_dll", lpString2="Windows") returned -1 [0044.820] lstrcmpiW (lpString1="MSOINTL.DLL.trx_dll", lpString2="$Recycle.bin") returned 1 [0044.820] lstrcmpiW (lpString1="MSOINTL.DLL.trx_dll", lpString2="System Volume Information") returned -1 [0044.820] lstrcmpiW (lpString1="MSOINTL.DLL.trx_dll", lpString2="Program Files") returned -1 [0044.820] lstrcmpiW (lpString1="MSOINTL.DLL.trx_dll", lpString2="Program Files (x86)") returned -1 [0044.820] wnsprintfW (in: pszDest=0x543228, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\MSOINTL.DLL.trx_dll") returned 71 [0044.820] StrStrIW (lpFirst="MSOINTL.DLL.trx_dll", lpSrch=".for") returned 0x0 [0044.820] lstrcmpW (lpString1="MSOINTL.DLL.trx_dll", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0044.820] lstrcmpW (lpString1="MSOINTL.DLL.trx_dll", lpString2="taridd") returned -1 [0044.820] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\MSOINTL.DLL.trx_dll", lpStr2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\3pRMMVYZl7L6YCH05Qf1aBB2Nvhrv3", nChar=122) returned -1 [0044.820] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\MSOINTL.DLL.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\1036\\msointl.dll.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x210 [0044.821] GetTickCount () returned 0x1145aae [0044.821] GetTickCount () returned 0x1145aae [0044.821] GetTickCount () returned 0x1145aae [0044.821] GetTickCount () returned 0x1145aae [0044.821] CryptEncrypt (in: hKey=0x4ff5a8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d8ea70*, pdwDataLen=0x2d8eb20*=0x2c, dwBufLen=0x80 | out: pbData=0x2d8ea70*, pdwDataLen=0x2d8eb20*=0x80) returned 1 [0044.821] GetProcessHeap () returned 0x4e0000 [0044.821] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x2800) returned 0x5064d8 [0044.821] ReadFile (in: hFile=0x210, lpBuffer=0x5064d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2d8eb24, lpOverlapped=0x0 | out: lpBuffer=0x5064d8*, lpNumberOfBytesRead=0x2d8eb24*=0x2800, lpOverlapped=0x0) returned 1 [0044.823] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0044.823] WriteFile (in: hFile=0x210, lpBuffer=0x5064d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2d8eb24, lpOverlapped=0x0 | out: lpBuffer=0x5064d8*, lpNumberOfBytesWritten=0x2d8eb24*=0x2800, lpOverlapped=0x0) returned 1 [0044.823] GetProcessHeap () returned 0x4e0000 [0044.823] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x5064d8 | out: hHeap=0x4e0000) returned 1 [0044.823] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0044.823] WriteFile (in: hFile=0x210, lpBuffer=0x4ffe10*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x2d8eb24, lpOverlapped=0x0 | out: lpBuffer=0x4ffe10*, lpNumberOfBytesWritten=0x2d8eb24*=0x300, lpOverlapped=0x0) returned 1 [0044.823] WriteFile (in: hFile=0x210, lpBuffer=0x2d8ea70*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x2d8eb24, lpOverlapped=0x0 | out: lpBuffer=0x2d8ea70*, lpNumberOfBytesWritten=0x2d8eb24*=0x80, lpOverlapped=0x0) returned 1 [0044.824] WriteFile (in: hFile=0x210, lpBuffer=0x186230*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2d8eb24, lpOverlapped=0x0 | out: lpBuffer=0x186230*, lpNumberOfBytesWritten=0x2d8eb24*=0x4, lpOverlapped=0x0) returned 1 [0044.824] CloseHandle (hObject=0x210) returned 1 [0044.824] GetProcessHeap () returned 0x4e0000 [0044.824] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x400) returned 0x543630 [0044.824] wnsprintfW (in: pszDest=0x543630, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\MSOINTL.DLL.trx_dll_forv_{KNUJ5K}.for") returned 89 [0044.824] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\MSOINTL.DLL.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\1036\\msointl.dll.trx_dll"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\MSOINTL.DLL.trx_dll_forv_{KNUJ5K}.for" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\1036\\msointl.dll.trx_dll_forv_{knuj5k}.for")) returned 1 [0044.824] GetProcessHeap () returned 0x4e0000 [0044.824] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x543630 | out: hHeap=0x4e0000) returned 1 [0044.824] FindNextFileW (in: hFindFile=0x535ba0, lpFindFileData=0x2d8eb60 | out: lpFindFileData=0x2d8eb60*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x9f53ca00, ftCreationTime.dwHighDateTime=0x1caca0b, ftLastAccessTime.dwLowDateTime=0xeeeb5310, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0x9f53ca00, ftLastWriteTime.dwHighDateTime=0x1caca0b, nFileSizeHigh=0x0, nFileSizeLow=0x2ced60, dwReserved0=0x2d8eba8, dwReserved1=0x771791c9, cFileName="MSOINTL.REST.trx_dll", cAlternateFileName="MSOINT~2.TRX")) returned 1 [0044.824] lstrcmpiW (lpString1="MSOINTL.REST.trx_dll", lpString2="Windows") returned -1 [0044.824] lstrcmpiW (lpString1="MSOINTL.REST.trx_dll", lpString2="$Recycle.bin") returned 1 [0044.824] lstrcmpiW (lpString1="MSOINTL.REST.trx_dll", lpString2="System Volume Information") returned -1 [0044.824] lstrcmpiW (lpString1="MSOINTL.REST.trx_dll", lpString2="Program Files") returned -1 [0044.824] lstrcmpiW (lpString1="MSOINTL.REST.trx_dll", lpString2="Program Files (x86)") returned -1 [0044.825] wnsprintfW (in: pszDest=0x543228, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\MSOINTL.REST.trx_dll") returned 72 [0044.825] StrStrIW (lpFirst="MSOINTL.REST.trx_dll", lpSrch=".for") returned 0x0 [0044.825] lstrcmpW (lpString1="MSOINTL.REST.trx_dll", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0044.825] lstrcmpW (lpString1="MSOINTL.REST.trx_dll", lpString2="taridd") returned -1 [0044.825] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\MSOINTL.REST.trx_dll", lpStr2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\3pRMMVYZl7L6YCH05Qf1aBB2Nvhrv3", nChar=122) returned -1 [0044.825] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\MSOINTL.REST.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\1036\\msointl.rest.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x210 [0044.827] GetTickCount () returned 0x1145aae [0044.827] GetTickCount () returned 0x1145aae [0044.827] GetTickCount () returned 0x1145aae [0044.827] GetTickCount () returned 0x1145aae [0044.827] CryptEncrypt (in: hKey=0x4ff5a8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d8ea70*, pdwDataLen=0x2d8eb20*=0x2c, dwBufLen=0x80 | out: pbData=0x2d8ea70*, pdwDataLen=0x2d8eb20*=0x80) returned 1 [0044.827] GetProcessHeap () returned 0x4e0000 [0044.827] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x2800) returned 0x5064d8 [0044.827] ReadFile (in: hFile=0x210, lpBuffer=0x5064d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2d8eb24, lpOverlapped=0x0 | out: lpBuffer=0x5064d8*, lpNumberOfBytesRead=0x2d8eb24*=0x2800, lpOverlapped=0x0) returned 1 [0044.844] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0044.916] WriteFile (in: hFile=0x210, lpBuffer=0x5064d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2d8eb24, lpOverlapped=0x0 | out: lpBuffer=0x5064d8*, lpNumberOfBytesWritten=0x2d8eb24*=0x2800, lpOverlapped=0x0) returned 1 [0044.920] GetProcessHeap () returned 0x4e0000 [0044.922] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x5064d8 | out: hHeap=0x4e0000) returned 1 [0044.923] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0044.927] WriteFile (in: hFile=0x210, lpBuffer=0x4ffe10*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x2d8eb24, lpOverlapped=0x0 | out: lpBuffer=0x4ffe10*, lpNumberOfBytesWritten=0x2d8eb24*=0x300, lpOverlapped=0x0) returned 1 [0044.951] WriteFile (in: hFile=0x210, lpBuffer=0x2d8ea70*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x2d8eb24, lpOverlapped=0x0 | out: lpBuffer=0x2d8ea70*, lpNumberOfBytesWritten=0x2d8eb24*=0x80, lpOverlapped=0x0) returned 1 [0044.954] WriteFile (in: hFile=0x210, lpBuffer=0x186230*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2d8eb24, lpOverlapped=0x0 | out: lpBuffer=0x186230*, lpNumberOfBytesWritten=0x2d8eb24*=0x4, lpOverlapped=0x0) returned 1 [0044.956] CloseHandle (hObject=0x210) returned 1 [0044.960] GetProcessHeap () returned 0x4e0000 [0044.960] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x400) returned 0x543630 [0044.961] wnsprintfW (in: pszDest=0x543630, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\MSOINTL.REST.trx_dll_forv_{KNUJ5K}.for") returned 90 [0044.962] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\MSOINTL.REST.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\1036\\msointl.rest.trx_dll"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\MSOINTL.REST.trx_dll_forv_{KNUJ5K}.for" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\1036\\msointl.rest.trx_dll_forv_{knuj5k}.for")) returned 1 [0044.974] GetProcessHeap () returned 0x4e0000 [0044.974] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x543630 | out: hHeap=0x4e0000) returned 1 [0044.976] FindNextFileW (in: hFindFile=0x535ba0, lpFindFileData=0x2d8eb60 | out: lpFindFileData=0x2d8eb60*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xaa381000, ftCreationTime.dwHighDateTime=0x1cac7fb, ftLastAccessTime.dwLowDateTime=0xeef27730, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xaa381000, ftLastWriteTime.dwHighDateTime=0x1cac7fb, nFileSizeHigh=0x0, nFileSizeLow=0xb360, dwReserved0=0x2d8eba8, dwReserved1=0x771791c9, cFileName="OMSINTL.DLL.trx_dll", cAlternateFileName="OMSINT~1.TRX")) returned 1 [0044.977] lstrcmpiW (lpString1="OMSINTL.DLL.trx_dll", lpString2="Windows") returned -1 [0044.978] lstrcmpiW (lpString1="OMSINTL.DLL.trx_dll", lpString2="$Recycle.bin") returned 1 [0044.979] lstrcmpiW (lpString1="OMSINTL.DLL.trx_dll", lpString2="System Volume Information") returned -1 [0044.981] lstrcmpiW (lpString1="OMSINTL.DLL.trx_dll", lpString2="Program Files") returned -1 [0044.981] lstrcmpiW (lpString1="OMSINTL.DLL.trx_dll", lpString2="Program Files (x86)") returned -1 [0044.983] wnsprintfW (in: pszDest=0x543228, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\OMSINTL.DLL.trx_dll") returned 71 [0044.983] StrStrIW (lpFirst="OMSINTL.DLL.trx_dll", lpSrch=".for") returned 0x0 [0044.984] lstrcmpW (lpString1="OMSINTL.DLL.trx_dll", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0044.985] lstrcmpW (lpString1="OMSINTL.DLL.trx_dll", lpString2="taridd") returned -1 [0044.986] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\OMSINTL.DLL.trx_dll", lpStr2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\3pRMMVYZl7L6YCH05Qf1aBB2Nvhrv3", nChar=122) returned -1 [0044.986] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\OMSINTL.DLL.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\1036\\omsintl.dll.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x210 [0044.997] GetTickCount () returned 0x1145b5a [0044.999] GetTickCount () returned 0x1145b5a [0044.999] GetTickCount () returned 0x1145b5a [0045.000] GetTickCount () returned 0x1145b5a [0045.002] CryptEncrypt (in: hKey=0x4ff5a8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d8ea70*, pdwDataLen=0x2d8eb20*=0x2c, dwBufLen=0x80 | out: pbData=0x2d8ea70*, pdwDataLen=0x2d8eb20*=0x80) returned 1 [0045.006] GetProcessHeap () returned 0x4e0000 [0045.006] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x2800) returned 0x5064d8 [0045.007] ReadFile (in: hFile=0x210, lpBuffer=0x5064d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2d8eb24, lpOverlapped=0x0 | out: lpBuffer=0x5064d8*, lpNumberOfBytesRead=0x2d8eb24*=0x2800, lpOverlapped=0x0) returned 1 [0045.031] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0045.033] WriteFile (in: hFile=0x210, lpBuffer=0x5064d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2d8eb24, lpOverlapped=0x0 | out: lpBuffer=0x5064d8*, lpNumberOfBytesWritten=0x2d8eb24*=0x2800, lpOverlapped=0x0) returned 1 [0045.036] GetProcessHeap () returned 0x4e0000 [0045.036] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x5064d8 | out: hHeap=0x4e0000) returned 1 [0045.037] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0045.038] WriteFile (in: hFile=0x210, lpBuffer=0x4ffe10*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x2d8eb24, lpOverlapped=0x0 | out: lpBuffer=0x4ffe10*, lpNumberOfBytesWritten=0x2d8eb24*=0x300, lpOverlapped=0x0) returned 1 [0045.041] WriteFile (in: hFile=0x210, lpBuffer=0x2d8ea70*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x2d8eb24, lpOverlapped=0x0 | out: lpBuffer=0x2d8ea70*, lpNumberOfBytesWritten=0x2d8eb24*=0x80, lpOverlapped=0x0) returned 1 [0045.043] WriteFile (in: hFile=0x210, lpBuffer=0x186230*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2d8eb24, lpOverlapped=0x0 | out: lpBuffer=0x186230*, lpNumberOfBytesWritten=0x2d8eb24*=0x4, lpOverlapped=0x0) returned 1 [0045.046] CloseHandle (hObject=0x210) returned 1 [0045.050] GetProcessHeap () returned 0x4e0000 [0045.051] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x400) returned 0x543630 [0045.052] wnsprintfW (in: pszDest=0x543630, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\OMSINTL.DLL.trx_dll_forv_{KNUJ5K}.for") returned 89 [0045.053] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\OMSINTL.DLL.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\1036\\omsintl.dll.trx_dll"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\OMSINTL.DLL.trx_dll_forv_{KNUJ5K}.for" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\1036\\omsintl.dll.trx_dll_forv_{knuj5k}.for")) returned 1 [0045.065] GetProcessHeap () returned 0x4e0000 [0045.066] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x543630 | out: hHeap=0x4e0000) returned 1 [0045.066] FindNextFileW (in: hFindFile=0x535ba0, lpFindFileData=0x2d8eb60 | out: lpFindFileData=0x2d8eb60*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x7337cc00, ftCreationTime.dwHighDateTime=0x1cacf6a, ftLastAccessTime.dwLowDateTime=0xeef27730, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0x7337cc00, ftLastWriteTime.dwHighDateTime=0x1cacf6a, nFileSizeHigh=0x0, nFileSizeLow=0x7b60, dwReserved0=0x2d8eba8, dwReserved1=0x771791c9, cFileName="ONINTL.DLL.trx_dll", cAlternateFileName="ONINTL~1.TRX")) returned 1 [0045.067] lstrcmpiW (lpString1="ONINTL.DLL.trx_dll", lpString2="Windows") returned -1 [0045.069] lstrcmpiW (lpString1="ONINTL.DLL.trx_dll", lpString2="$Recycle.bin") returned 1 [0045.069] lstrcmpiW (lpString1="ONINTL.DLL.trx_dll", lpString2="System Volume Information") returned -1 [0045.070] lstrcmpiW (lpString1="ONINTL.DLL.trx_dll", lpString2="Program Files") returned -1 [0045.071] lstrcmpiW (lpString1="ONINTL.DLL.trx_dll", lpString2="Program Files (x86)") returned -1 [0045.072] wnsprintfW (in: pszDest=0x543228, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\ONINTL.DLL.trx_dll") returned 70 [0045.072] StrStrIW (lpFirst="ONINTL.DLL.trx_dll", lpSrch=".for") returned 0x0 [0045.073] lstrcmpW (lpString1="ONINTL.DLL.trx_dll", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0045.073] lstrcmpW (lpString1="ONINTL.DLL.trx_dll", lpString2="taridd") returned -1 [0045.074] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\ONINTL.DLL.trx_dll", lpStr2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\3pRMMVYZl7L6YCH05Qf1aBB2Nvhrv3", nChar=122) returned -1 [0045.075] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\ONINTL.DLL.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\1036\\onintl.dll.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x210 [0045.090] GetTickCount () returned 0x1145bb7 [0045.091] GetTickCount () returned 0x1145bb7 [0045.091] GetTickCount () returned 0x1145bb7 [0045.092] GetTickCount () returned 0x1145bb7 [0045.093] CryptEncrypt (in: hKey=0x4ff5a8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d8ea70*, pdwDataLen=0x2d8eb20*=0x2c, dwBufLen=0x80 | out: pbData=0x2d8ea70*, pdwDataLen=0x2d8eb20*=0x80) returned 1 [0045.096] GetProcessHeap () returned 0x4e0000 [0045.098] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x2800) returned 0x5064d8 [0045.098] ReadFile (in: hFile=0x210, lpBuffer=0x5064d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2d8eb24, lpOverlapped=0x0 | out: lpBuffer=0x5064d8*, lpNumberOfBytesRead=0x2d8eb24*=0x2800, lpOverlapped=0x0) returned 1 [0045.122] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0045.124] WriteFile (in: hFile=0x210, lpBuffer=0x5064d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2d8eb24, lpOverlapped=0x0 | out: lpBuffer=0x5064d8*, lpNumberOfBytesWritten=0x2d8eb24*=0x2800, lpOverlapped=0x0) returned 1 [0045.126] GetProcessHeap () returned 0x4e0000 [0045.126] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x5064d8 | out: hHeap=0x4e0000) returned 1 [0045.126] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0045.126] WriteFile (in: hFile=0x210, lpBuffer=0x4ffe10*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x2d8eb24, lpOverlapped=0x0 | out: lpBuffer=0x4ffe10*, lpNumberOfBytesWritten=0x2d8eb24*=0x300, lpOverlapped=0x0) returned 1 [0045.127] WriteFile (in: hFile=0x210, lpBuffer=0x2d8ea70*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x2d8eb24, lpOverlapped=0x0 | out: lpBuffer=0x2d8ea70*, lpNumberOfBytesWritten=0x2d8eb24*=0x80, lpOverlapped=0x0) returned 1 [0045.127] WriteFile (in: hFile=0x210, lpBuffer=0x186230*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2d8eb24, lpOverlapped=0x0 | out: lpBuffer=0x186230*, lpNumberOfBytesWritten=0x2d8eb24*=0x4, lpOverlapped=0x0) returned 1 [0045.127] CloseHandle (hObject=0x210) returned 1 [0045.127] GetProcessHeap () returned 0x4e0000 [0045.127] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x400) returned 0x543630 [0045.127] wnsprintfW (in: pszDest=0x543630, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\ONINTL.DLL.trx_dll_forv_{KNUJ5K}.for") returned 88 [0045.127] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\ONINTL.DLL.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\1036\\onintl.dll.trx_dll"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\ONINTL.DLL.trx_dll_forv_{KNUJ5K}.for" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\1036\\onintl.dll.trx_dll_forv_{knuj5k}.for")) returned 1 [0045.127] GetProcessHeap () returned 0x4e0000 [0045.127] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x543630 | out: hHeap=0x4e0000) returned 1 [0045.127] FindNextFileW (in: hFindFile=0x535ba0, lpFindFileData=0x2d8eb60 | out: lpFindFileData=0x2d8eb60*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x7337cc00, ftCreationTime.dwHighDateTime=0x1cacf6a, ftLastAccessTime.dwLowDateTime=0xeef4d890, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0x7337cc00, ftLastWriteTime.dwHighDateTime=0x1cacf6a, nFileSizeHigh=0x0, nFileSizeLow=0x3fb60, dwReserved0=0x2d8eba8, dwReserved1=0x771791c9, cFileName="ONINTL.REST.trx_dll", cAlternateFileName="ONINTL~2.TRX")) returned 1 [0045.127] lstrcmpiW (lpString1="ONINTL.REST.trx_dll", lpString2="Windows") returned -1 [0045.127] lstrcmpiW (lpString1="ONINTL.REST.trx_dll", lpString2="$Recycle.bin") returned 1 [0045.128] lstrcmpiW (lpString1="ONINTL.REST.trx_dll", lpString2="System Volume Information") returned -1 [0045.128] lstrcmpiW (lpString1="ONINTL.REST.trx_dll", lpString2="Program Files") returned -1 [0045.128] lstrcmpiW (lpString1="ONINTL.REST.trx_dll", lpString2="Program Files (x86)") returned -1 [0045.128] wnsprintfW (in: pszDest=0x543228, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\ONINTL.REST.trx_dll") returned 71 [0045.128] StrStrIW (lpFirst="ONINTL.REST.trx_dll", lpSrch=".for") returned 0x0 [0045.128] lstrcmpW (lpString1="ONINTL.REST.trx_dll", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0045.128] lstrcmpW (lpString1="ONINTL.REST.trx_dll", lpString2="taridd") returned -1 [0045.128] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\ONINTL.REST.trx_dll", lpStr2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\3pRMMVYZl7L6YCH05Qf1aBB2Nvhrv3", nChar=122) returned -1 [0045.128] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\ONINTL.REST.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\1036\\onintl.rest.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x210 [0045.128] GetTickCount () returned 0x1145bd7 [0045.128] GetTickCount () returned 0x1145bd7 [0045.128] GetTickCount () returned 0x1145bd7 [0045.128] GetTickCount () returned 0x1145bd7 [0045.129] CryptEncrypt (in: hKey=0x4ff5a8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d8ea70*, pdwDataLen=0x2d8eb20*=0x2c, dwBufLen=0x80 | out: pbData=0x2d8ea70*, pdwDataLen=0x2d8eb20*=0x80) returned 1 [0045.129] GetProcessHeap () returned 0x4e0000 [0045.129] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x2800) returned 0x5064d8 [0045.129] ReadFile (in: hFile=0x210, lpBuffer=0x5064d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2d8eb24, lpOverlapped=0x0 | out: lpBuffer=0x5064d8*, lpNumberOfBytesRead=0x2d8eb24*=0x2800, lpOverlapped=0x0) returned 1 [0045.131] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0045.131] WriteFile (in: hFile=0x210, lpBuffer=0x5064d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2d8eb24, lpOverlapped=0x0 | out: lpBuffer=0x5064d8*, lpNumberOfBytesWritten=0x2d8eb24*=0x2800, lpOverlapped=0x0) returned 1 [0045.131] GetProcessHeap () returned 0x4e0000 [0045.131] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x5064d8 | out: hHeap=0x4e0000) returned 1 [0045.131] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0045.131] WriteFile (in: hFile=0x210, lpBuffer=0x4ffe10*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x2d8eb24, lpOverlapped=0x0 | out: lpBuffer=0x4ffe10*, lpNumberOfBytesWritten=0x2d8eb24*=0x300, lpOverlapped=0x0) returned 1 [0045.133] WriteFile (in: hFile=0x210, lpBuffer=0x2d8ea70*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x2d8eb24, lpOverlapped=0x0 | out: lpBuffer=0x2d8ea70*, lpNumberOfBytesWritten=0x2d8eb24*=0x80, lpOverlapped=0x0) returned 1 [0045.133] WriteFile (in: hFile=0x210, lpBuffer=0x186230*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2d8eb24, lpOverlapped=0x0 | out: lpBuffer=0x186230*, lpNumberOfBytesWritten=0x2d8eb24*=0x4, lpOverlapped=0x0) returned 1 [0045.133] CloseHandle (hObject=0x210) returned 1 [0045.133] GetProcessHeap () returned 0x4e0000 [0045.133] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x400) returned 0x543630 [0045.133] wnsprintfW (in: pszDest=0x543630, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\ONINTL.REST.trx_dll_forv_{KNUJ5K}.for") returned 89 [0045.133] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\ONINTL.REST.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\1036\\onintl.rest.trx_dll"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\ONINTL.REST.trx_dll_forv_{KNUJ5K}.for" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\1036\\onintl.rest.trx_dll_forv_{knuj5k}.for")) returned 1 [0045.133] GetProcessHeap () returned 0x4e0000 [0045.133] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x543630 | out: hHeap=0x4e0000) returned 1 [0045.133] FindNextFileW (in: hFindFile=0x535ba0, lpFindFileData=0x2d8eb60 | out: lpFindFileData=0x2d8eb60*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x1ab87a00, ftCreationTime.dwHighDateTime=0x1caca12, ftLastAccessTime.dwLowDateTime=0xeef4d890, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0x1ab87a00, ftLastWriteTime.dwHighDateTime=0x1caca12, nFileSizeHigh=0x0, nFileSizeLow=0x37560, dwReserved0=0x2d8eba8, dwReserved1=0x771791c9, cFileName="OUTLLIBR.DLL.trx_dll", cAlternateFileName="OUTLLI~1.TRX")) returned 1 [0045.134] lstrcmpiW (lpString1="OUTLLIBR.DLL.trx_dll", lpString2="Windows") returned -1 [0045.134] lstrcmpiW (lpString1="OUTLLIBR.DLL.trx_dll", lpString2="$Recycle.bin") returned 1 [0045.134] lstrcmpiW (lpString1="OUTLLIBR.DLL.trx_dll", lpString2="System Volume Information") returned -1 [0045.134] lstrcmpiW (lpString1="OUTLLIBR.DLL.trx_dll", lpString2="Program Files") returned -1 [0045.134] lstrcmpiW (lpString1="OUTLLIBR.DLL.trx_dll", lpString2="Program Files (x86)") returned -1 [0045.134] wnsprintfW (in: pszDest=0x543228, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\OUTLLIBR.DLL.trx_dll") returned 72 [0045.134] StrStrIW (lpFirst="OUTLLIBR.DLL.trx_dll", lpSrch=".for") returned 0x0 [0045.134] lstrcmpW (lpString1="OUTLLIBR.DLL.trx_dll", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0045.134] lstrcmpW (lpString1="OUTLLIBR.DLL.trx_dll", lpString2="taridd") returned -1 [0045.134] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\OUTLLIBR.DLL.trx_dll", lpStr2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\3pRMMVYZl7L6YCH05Qf1aBB2Nvhrv3", nChar=122) returned -1 [0045.134] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\OUTLLIBR.DLL.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\1036\\outllibr.dll.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x210 [0045.134] GetTickCount () returned 0x1145be6 [0045.134] GetTickCount () returned 0x1145be6 [0045.134] GetTickCount () returned 0x1145be6 [0045.134] GetTickCount () returned 0x1145be6 [0045.135] CryptEncrypt (in: hKey=0x4ff5a8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d8ea70*, pdwDataLen=0x2d8eb20*=0x2c, dwBufLen=0x80 | out: pbData=0x2d8ea70*, pdwDataLen=0x2d8eb20*=0x80) returned 1 [0045.135] GetProcessHeap () returned 0x4e0000 [0045.135] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x2800) returned 0x5064d8 [0045.135] ReadFile (in: hFile=0x210, lpBuffer=0x5064d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2d8eb24, lpOverlapped=0x0 | out: lpBuffer=0x5064d8*, lpNumberOfBytesRead=0x2d8eb24*=0x2800, lpOverlapped=0x0) returned 1 [0045.136] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0045.136] WriteFile (in: hFile=0x210, lpBuffer=0x5064d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2d8eb24, lpOverlapped=0x0 | out: lpBuffer=0x5064d8*, lpNumberOfBytesWritten=0x2d8eb24*=0x2800, lpOverlapped=0x0) returned 1 [0045.136] GetProcessHeap () returned 0x4e0000 [0045.136] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x5064d8 | out: hHeap=0x4e0000) returned 1 [0045.136] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0045.136] WriteFile (in: hFile=0x210, lpBuffer=0x4ffe10*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x2d8eb24, lpOverlapped=0x0 | out: lpBuffer=0x4ffe10*, lpNumberOfBytesWritten=0x2d8eb24*=0x300, lpOverlapped=0x0) returned 1 [0045.138] WriteFile (in: hFile=0x210, lpBuffer=0x2d8ea70*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x2d8eb24, lpOverlapped=0x0 | out: lpBuffer=0x2d8ea70*, lpNumberOfBytesWritten=0x2d8eb24*=0x80, lpOverlapped=0x0) returned 1 [0045.138] WriteFile (in: hFile=0x210, lpBuffer=0x186230*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2d8eb24, lpOverlapped=0x0 | out: lpBuffer=0x186230*, lpNumberOfBytesWritten=0x2d8eb24*=0x4, lpOverlapped=0x0) returned 1 [0045.138] CloseHandle (hObject=0x210) returned 1 [0045.138] GetProcessHeap () returned 0x4e0000 [0045.138] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x400) returned 0x543630 [0045.138] wnsprintfW (in: pszDest=0x543630, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\OUTLLIBR.DLL.trx_dll_forv_{KNUJ5K}.for") returned 90 [0045.138] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\OUTLLIBR.DLL.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\1036\\outllibr.dll.trx_dll"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\OUTLLIBR.DLL.trx_dll_forv_{KNUJ5K}.for" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\1036\\outllibr.dll.trx_dll_forv_{knuj5k}.for")) returned 1 [0045.138] GetProcessHeap () returned 0x4e0000 [0045.138] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x543630 | out: hHeap=0x4e0000) returned 1 [0045.139] FindNextFileW (in: hFindFile=0x535ba0, lpFindFileData=0x2d8eb60 | out: lpFindFileData=0x2d8eb60*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x1ab87a00, ftCreationTime.dwHighDateTime=0x1caca12, ftLastAccessTime.dwLowDateTime=0xeef739f0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0x1ab87a00, ftLastWriteTime.dwHighDateTime=0x1caca12, nFileSizeHigh=0x0, nFileSizeLow=0xa6560, dwReserved0=0x2d8eba8, dwReserved1=0x771791c9, cFileName="OUTLLIBR.REST.trx_dll", cAlternateFileName="OUTLLI~2.TRX")) returned 1 [0045.139] lstrcmpiW (lpString1="OUTLLIBR.REST.trx_dll", lpString2="Windows") returned -1 [0045.139] lstrcmpiW (lpString1="OUTLLIBR.REST.trx_dll", lpString2="$Recycle.bin") returned 1 [0045.139] lstrcmpiW (lpString1="OUTLLIBR.REST.trx_dll", lpString2="System Volume Information") returned -1 [0045.139] lstrcmpiW (lpString1="OUTLLIBR.REST.trx_dll", lpString2="Program Files") returned -1 [0045.139] lstrcmpiW (lpString1="OUTLLIBR.REST.trx_dll", lpString2="Program Files (x86)") returned -1 [0045.139] wnsprintfW (in: pszDest=0x543228, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\OUTLLIBR.REST.trx_dll") returned 73 [0045.139] StrStrIW (lpFirst="OUTLLIBR.REST.trx_dll", lpSrch=".for") returned 0x0 [0045.139] lstrcmpW (lpString1="OUTLLIBR.REST.trx_dll", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0045.139] lstrcmpW (lpString1="OUTLLIBR.REST.trx_dll", lpString2="taridd") returned -1 [0045.139] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\OUTLLIBR.REST.trx_dll", lpStr2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\3pRMMVYZl7L6YCH05Qf1aBB2Nvhrv3", nChar=122) returned -1 [0045.139] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\OUTLLIBR.REST.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\1036\\outllibr.rest.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x210 [0045.140] GetTickCount () returned 0x1145be6 [0045.140] GetTickCount () returned 0x1145be6 [0045.140] GetTickCount () returned 0x1145be6 [0045.140] GetTickCount () returned 0x1145be6 [0045.140] CryptEncrypt (in: hKey=0x4ff5a8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d8ea70*, pdwDataLen=0x2d8eb20*=0x2c, dwBufLen=0x80 | out: pbData=0x2d8ea70*, pdwDataLen=0x2d8eb20*=0x80) returned 1 [0045.140] GetProcessHeap () returned 0x4e0000 [0045.140] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x2800) returned 0x5064d8 [0045.140] ReadFile (in: hFile=0x210, lpBuffer=0x5064d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2d8eb24, lpOverlapped=0x0 | out: lpBuffer=0x5064d8*, lpNumberOfBytesRead=0x2d8eb24*=0x2800, lpOverlapped=0x0) returned 1 [0045.153] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0045.153] WriteFile (in: hFile=0x210, lpBuffer=0x5064d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2d8eb24, lpOverlapped=0x0 | out: lpBuffer=0x5064d8*, lpNumberOfBytesWritten=0x2d8eb24*=0x2800, lpOverlapped=0x0) returned 1 [0045.153] GetProcessHeap () returned 0x4e0000 [0045.153] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x5064d8 | out: hHeap=0x4e0000) returned 1 [0045.153] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0045.154] WriteFile (in: hFile=0x210, lpBuffer=0x4ffe10*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x2d8eb24, lpOverlapped=0x0 | out: lpBuffer=0x4ffe10*, lpNumberOfBytesWritten=0x2d8eb24*=0x300, lpOverlapped=0x0) returned 1 [0045.155] WriteFile (in: hFile=0x210, lpBuffer=0x2d8ea70*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x2d8eb24, lpOverlapped=0x0 | out: lpBuffer=0x2d8ea70*, lpNumberOfBytesWritten=0x2d8eb24*=0x80, lpOverlapped=0x0) returned 1 [0045.156] WriteFile (in: hFile=0x210, lpBuffer=0x186230*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2d8eb24, lpOverlapped=0x0 | out: lpBuffer=0x186230*, lpNumberOfBytesWritten=0x2d8eb24*=0x4, lpOverlapped=0x0) returned 1 [0045.156] CloseHandle (hObject=0x210) returned 1 [0045.156] GetProcessHeap () returned 0x4e0000 [0045.156] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x400) returned 0x543630 [0045.156] wnsprintfW (in: pszDest=0x543630, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\OUTLLIBR.REST.trx_dll_forv_{KNUJ5K}.for") returned 91 [0045.156] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\OUTLLIBR.REST.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\1036\\outllibr.rest.trx_dll"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\OUTLLIBR.REST.trx_dll_forv_{KNUJ5K}.for" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\1036\\outllibr.rest.trx_dll_forv_{knuj5k}.for")) returned 1 [0045.156] GetProcessHeap () returned 0x4e0000 [0045.156] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x543630 | out: hHeap=0x4e0000) returned 1 [0045.156] FindNextFileW (in: hFindFile=0x535ba0, lpFindFileData=0x2d8eb60 | out: lpFindFileData=0x2d8eb60*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x1be9a700, ftCreationTime.dwHighDateTime=0x1caca12, ftLastAccessTime.dwLowDateTime=0xeef739f0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0x1be9a700, ftLastWriteTime.dwHighDateTime=0x1caca12, nFileSizeHigh=0x0, nFileSizeLow=0x2b60, dwReserved0=0x2d8eba8, dwReserved1=0x771791c9, cFileName="OUTLWVW.DLL.trx_dll", cAlternateFileName="OUTLWV~1.TRX")) returned 1 [0045.156] lstrcmpiW (lpString1="OUTLWVW.DLL.trx_dll", lpString2="Windows") returned -1 [0045.156] lstrcmpiW (lpString1="OUTLWVW.DLL.trx_dll", lpString2="$Recycle.bin") returned 1 [0045.156] lstrcmpiW (lpString1="OUTLWVW.DLL.trx_dll", lpString2="System Volume Information") returned -1 [0045.156] lstrcmpiW (lpString1="OUTLWVW.DLL.trx_dll", lpString2="Program Files") returned -1 [0045.156] lstrcmpiW (lpString1="OUTLWVW.DLL.trx_dll", lpString2="Program Files (x86)") returned -1 [0045.156] wnsprintfW (in: pszDest=0x543228, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\OUTLWVW.DLL.trx_dll") returned 71 [0045.156] StrStrIW (lpFirst="OUTLWVW.DLL.trx_dll", lpSrch=".for") returned 0x0 [0045.157] lstrcmpW (lpString1="OUTLWVW.DLL.trx_dll", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0045.157] lstrcmpW (lpString1="OUTLWVW.DLL.trx_dll", lpString2="taridd") returned -1 [0045.157] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\OUTLWVW.DLL.trx_dll", lpStr2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\3pRMMVYZl7L6YCH05Qf1aBB2Nvhrv3", nChar=122) returned -1 [0045.157] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\OUTLWVW.DLL.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\1036\\outlwvw.dll.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x210 [0045.157] GetTickCount () returned 0x1145bf6 [0045.157] GetTickCount () returned 0x1145bf6 [0045.157] GetTickCount () returned 0x1145bf6 [0045.157] GetTickCount () returned 0x1145bf6 [0045.157] CryptEncrypt (in: hKey=0x4ff5a8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d8ea70*, pdwDataLen=0x2d8eb20*=0x2c, dwBufLen=0x80 | out: pbData=0x2d8ea70*, pdwDataLen=0x2d8eb20*=0x80) returned 1 [0045.157] GetProcessHeap () returned 0x4e0000 [0045.157] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x2800) returned 0x5064d8 [0045.157] ReadFile (in: hFile=0x210, lpBuffer=0x5064d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2d8eb24, lpOverlapped=0x0 | out: lpBuffer=0x5064d8*, lpNumberOfBytesRead=0x2d8eb24*=0x2800, lpOverlapped=0x0) returned 1 [0045.159] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0045.159] WriteFile (in: hFile=0x210, lpBuffer=0x5064d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2d8eb24, lpOverlapped=0x0 | out: lpBuffer=0x5064d8*, lpNumberOfBytesWritten=0x2d8eb24*=0x2800, lpOverlapped=0x0) returned 1 [0045.159] GetProcessHeap () returned 0x4e0000 [0045.159] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x5064d8 | out: hHeap=0x4e0000) returned 1 [0045.159] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0045.159] WriteFile (in: hFile=0x210, lpBuffer=0x4ffe10*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x2d8eb24, lpOverlapped=0x0 | out: lpBuffer=0x4ffe10*, lpNumberOfBytesWritten=0x2d8eb24*=0x300, lpOverlapped=0x0) returned 1 [0045.159] WriteFile (in: hFile=0x210, lpBuffer=0x2d8ea70*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x2d8eb24, lpOverlapped=0x0 | out: lpBuffer=0x2d8ea70*, lpNumberOfBytesWritten=0x2d8eb24*=0x80, lpOverlapped=0x0) returned 1 [0045.159] WriteFile (in: hFile=0x210, lpBuffer=0x186230*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2d8eb24, lpOverlapped=0x0 | out: lpBuffer=0x186230*, lpNumberOfBytesWritten=0x2d8eb24*=0x4, lpOverlapped=0x0) returned 1 [0045.159] CloseHandle (hObject=0x210) returned 1 [0045.159] GetProcessHeap () returned 0x4e0000 [0045.159] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x400) returned 0x543630 [0045.159] wnsprintfW (in: pszDest=0x543630, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\OUTLWVW.DLL.trx_dll_forv_{KNUJ5K}.for") returned 89 [0045.159] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\OUTLWVW.DLL.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\1036\\outlwvw.dll.trx_dll"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\OUTLWVW.DLL.trx_dll_forv_{KNUJ5K}.for" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\1036\\outlwvw.dll.trx_dll_forv_{knuj5k}.for")) returned 1 [0045.160] GetProcessHeap () returned 0x4e0000 [0045.160] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x543630 | out: hHeap=0x4e0000) returned 1 [0045.160] FindNextFileW (in: hFindFile=0x535ba0, lpFindFileData=0x2d8eb60 | out: lpFindFileData=0x2d8eb60*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x7cef6000, ftCreationTime.dwHighDateTime=0x1cac803, ftLastAccessTime.dwLowDateTime=0xef00bf70, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0x7cef6000, ftLastWriteTime.dwHighDateTime=0x1cac803, nFileSizeHigh=0x0, nFileSizeLow=0xcd60, dwReserved0=0x2d8eba8, dwReserved1=0x771791c9, cFileName="PPINTL.DLL.trx_dll", cAlternateFileName="PPINTL~1.TRX")) returned 1 [0045.160] lstrcmpiW (lpString1="PPINTL.DLL.trx_dll", lpString2="Windows") returned -1 [0045.160] lstrcmpiW (lpString1="PPINTL.DLL.trx_dll", lpString2="$Recycle.bin") returned 1 [0045.160] lstrcmpiW (lpString1="PPINTL.DLL.trx_dll", lpString2="System Volume Information") returned -1 [0045.160] lstrcmpiW (lpString1="PPINTL.DLL.trx_dll", lpString2="Program Files") returned -1 [0045.160] lstrcmpiW (lpString1="PPINTL.DLL.trx_dll", lpString2="Program Files (x86)") returned -1 [0045.160] wnsprintfW (in: pszDest=0x543228, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\PPINTL.DLL.trx_dll") returned 70 [0045.160] StrStrIW (lpFirst="PPINTL.DLL.trx_dll", lpSrch=".for") returned 0x0 [0045.160] lstrcmpW (lpString1="PPINTL.DLL.trx_dll", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0045.160] lstrcmpW (lpString1="PPINTL.DLL.trx_dll", lpString2="taridd") returned -1 [0045.160] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\PPINTL.DLL.trx_dll", lpStr2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\3pRMMVYZl7L6YCH05Qf1aBB2Nvhrv3", nChar=122) returned -1 [0045.160] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\PPINTL.DLL.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\1036\\ppintl.dll.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x210 [0045.161] GetTickCount () returned 0x1145bf6 [0045.161] GetTickCount () returned 0x1145bf6 [0045.161] GetTickCount () returned 0x1145bf6 [0045.161] GetTickCount () returned 0x1145bf6 [0045.161] CryptEncrypt (in: hKey=0x4ff5a8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d8ea70*, pdwDataLen=0x2d8eb20*=0x2c, dwBufLen=0x80 | out: pbData=0x2d8ea70*, pdwDataLen=0x2d8eb20*=0x80) returned 1 [0045.161] GetProcessHeap () returned 0x4e0000 [0045.161] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x2800) returned 0x5064d8 [0045.161] ReadFile (in: hFile=0x210, lpBuffer=0x5064d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2d8eb24, lpOverlapped=0x0 | out: lpBuffer=0x5064d8*, lpNumberOfBytesRead=0x2d8eb24*=0x2800, lpOverlapped=0x0) returned 1 [0045.163] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0045.164] WriteFile (in: hFile=0x210, lpBuffer=0x5064d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2d8eb24, lpOverlapped=0x0 | out: lpBuffer=0x5064d8*, lpNumberOfBytesWritten=0x2d8eb24*=0x2800, lpOverlapped=0x0) returned 1 [0045.164] GetProcessHeap () returned 0x4e0000 [0045.164] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x5064d8 | out: hHeap=0x4e0000) returned 1 [0045.164] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0045.164] WriteFile (in: hFile=0x210, lpBuffer=0x4ffe10*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x2d8eb24, lpOverlapped=0x0 | out: lpBuffer=0x4ffe10*, lpNumberOfBytesWritten=0x2d8eb24*=0x300, lpOverlapped=0x0) returned 1 [0045.164] WriteFile (in: hFile=0x210, lpBuffer=0x2d8ea70*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x2d8eb24, lpOverlapped=0x0 | out: lpBuffer=0x2d8ea70*, lpNumberOfBytesWritten=0x2d8eb24*=0x80, lpOverlapped=0x0) returned 1 [0045.164] WriteFile (in: hFile=0x210, lpBuffer=0x186230*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2d8eb24, lpOverlapped=0x0 | out: lpBuffer=0x186230*, lpNumberOfBytesWritten=0x2d8eb24*=0x4, lpOverlapped=0x0) returned 1 [0045.164] CloseHandle (hObject=0x210) returned 1 [0045.164] GetProcessHeap () returned 0x4e0000 [0045.164] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x400) returned 0x543630 [0045.164] wnsprintfW (in: pszDest=0x543630, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\PPINTL.DLL.trx_dll_forv_{KNUJ5K}.for") returned 88 [0045.164] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\PPINTL.DLL.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\1036\\ppintl.dll.trx_dll"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\PPINTL.DLL.trx_dll_forv_{KNUJ5K}.for" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\1036\\ppintl.dll.trx_dll_forv_{knuj5k}.for")) returned 1 [0045.165] GetProcessHeap () returned 0x4e0000 [0045.165] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x543630 | out: hHeap=0x4e0000) returned 1 [0045.165] FindNextFileW (in: hFindFile=0x535ba0, lpFindFileData=0x2d8eb60 | out: lpFindFileData=0x2d8eb60*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x7cef6000, ftCreationTime.dwHighDateTime=0x1cac803, ftLastAccessTime.dwLowDateTime=0xef00bf70, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0x7cef6000, ftLastWriteTime.dwHighDateTime=0x1cac803, nFileSizeHigh=0x0, nFileSizeLow=0x45f60, dwReserved0=0x2d8eba8, dwReserved1=0x771791c9, cFileName="PPINTL.REST.trx_dll", cAlternateFileName="PPINTL~2.TRX")) returned 1 [0045.165] lstrcmpiW (lpString1="PPINTL.REST.trx_dll", lpString2="Windows") returned -1 [0045.165] lstrcmpiW (lpString1="PPINTL.REST.trx_dll", lpString2="$Recycle.bin") returned 1 [0045.165] lstrcmpiW (lpString1="PPINTL.REST.trx_dll", lpString2="System Volume Information") returned -1 [0045.165] lstrcmpiW (lpString1="PPINTL.REST.trx_dll", lpString2="Program Files") returned -1 [0045.165] lstrcmpiW (lpString1="PPINTL.REST.trx_dll", lpString2="Program Files (x86)") returned -1 [0045.165] wnsprintfW (in: pszDest=0x543228, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\PPINTL.REST.trx_dll") returned 71 [0045.165] StrStrIW (lpFirst="PPINTL.REST.trx_dll", lpSrch=".for") returned 0x0 [0045.165] lstrcmpW (lpString1="PPINTL.REST.trx_dll", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0045.165] lstrcmpW (lpString1="PPINTL.REST.trx_dll", lpString2="taridd") returned -1 [0045.165] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\PPINTL.REST.trx_dll", lpStr2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\3pRMMVYZl7L6YCH05Qf1aBB2Nvhrv3", nChar=122) returned -1 [0045.165] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\PPINTL.REST.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\1036\\ppintl.rest.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x210 [0045.166] GetTickCount () returned 0x1145c05 [0045.166] GetTickCount () returned 0x1145c05 [0045.166] GetTickCount () returned 0x1145c05 [0045.166] GetTickCount () returned 0x1145c05 [0045.166] CryptEncrypt (in: hKey=0x4ff5a8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d8ea70*, pdwDataLen=0x2d8eb20*=0x2c, dwBufLen=0x80 | out: pbData=0x2d8ea70*, pdwDataLen=0x2d8eb20*=0x80) returned 1 [0045.166] GetProcessHeap () returned 0x4e0000 [0045.166] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x2800) returned 0x5064d8 [0045.166] ReadFile (in: hFile=0x210, lpBuffer=0x5064d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2d8eb24, lpOverlapped=0x0 | out: lpBuffer=0x5064d8*, lpNumberOfBytesRead=0x2d8eb24*=0x2800, lpOverlapped=0x0) returned 1 [0045.168] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0045.168] WriteFile (in: hFile=0x210, lpBuffer=0x5064d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2d8eb24, lpOverlapped=0x0 | out: lpBuffer=0x5064d8*, lpNumberOfBytesWritten=0x2d8eb24*=0x2800, lpOverlapped=0x0) returned 1 [0045.168] GetProcessHeap () returned 0x4e0000 [0045.168] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x5064d8 | out: hHeap=0x4e0000) returned 1 [0045.168] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0045.168] WriteFile (in: hFile=0x210, lpBuffer=0x4ffe10*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x2d8eb24, lpOverlapped=0x0 | out: lpBuffer=0x4ffe10*, lpNumberOfBytesWritten=0x2d8eb24*=0x300, lpOverlapped=0x0) returned 1 [0045.170] WriteFile (in: hFile=0x210, lpBuffer=0x2d8ea70*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x2d8eb24, lpOverlapped=0x0 | out: lpBuffer=0x2d8ea70*, lpNumberOfBytesWritten=0x2d8eb24*=0x80, lpOverlapped=0x0) returned 1 [0045.170] WriteFile (in: hFile=0x210, lpBuffer=0x186230*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2d8eb24, lpOverlapped=0x0 | out: lpBuffer=0x186230*, lpNumberOfBytesWritten=0x2d8eb24*=0x4, lpOverlapped=0x0) returned 1 [0045.170] CloseHandle (hObject=0x210) returned 1 [0045.170] GetProcessHeap () returned 0x4e0000 [0045.170] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x400) returned 0x543630 [0045.170] wnsprintfW (in: pszDest=0x543630, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\PPINTL.REST.trx_dll_forv_{KNUJ5K}.for") returned 89 [0045.170] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\PPINTL.REST.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\1036\\ppintl.rest.trx_dll"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\PPINTL.REST.trx_dll_forv_{KNUJ5K}.for" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\1036\\ppintl.rest.trx_dll_forv_{knuj5k}.for")) returned 1 [0045.171] GetProcessHeap () returned 0x4e0000 [0045.171] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x543630 | out: hHeap=0x4e0000) returned 1 [0045.171] FindNextFileW (in: hFindFile=0x535ba0, lpFindFileData=0x2d8eb60 | out: lpFindFileData=0x2d8eb60*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xa3b09500, ftCreationTime.dwHighDateTime=0x1cac809, ftLastAccessTime.dwLowDateTime=0xef00bf70, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xa3b09500, ftLastWriteTime.dwHighDateTime=0x1cac809, nFileSizeHigh=0x0, nFileSizeLow=0x1a360, dwReserved0=0x2d8eba8, dwReserved1=0x771791c9, cFileName="PUB6INTL.DLL.trx_dll", cAlternateFileName="PUB6IN~1.TRX")) returned 1 [0045.171] lstrcmpiW (lpString1="PUB6INTL.DLL.trx_dll", lpString2="Windows") returned -1 [0045.171] lstrcmpiW (lpString1="PUB6INTL.DLL.trx_dll", lpString2="$Recycle.bin") returned 1 [0045.171] lstrcmpiW (lpString1="PUB6INTL.DLL.trx_dll", lpString2="System Volume Information") returned -1 [0045.171] lstrcmpiW (lpString1="PUB6INTL.DLL.trx_dll", lpString2="Program Files") returned 1 [0045.171] lstrcmpiW (lpString1="PUB6INTL.DLL.trx_dll", lpString2="Program Files (x86)") returned 1 [0045.171] wnsprintfW (in: pszDest=0x543228, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\PUB6INTL.DLL.trx_dll") returned 72 [0045.171] StrStrIW (lpFirst="PUB6INTL.DLL.trx_dll", lpSrch=".for") returned 0x0 [0045.171] lstrcmpW (lpString1="PUB6INTL.DLL.trx_dll", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0045.171] lstrcmpW (lpString1="PUB6INTL.DLL.trx_dll", lpString2="taridd") returned -1 [0045.171] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\PUB6INTL.DLL.trx_dll", lpStr2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\3pRMMVYZl7L6YCH05Qf1aBB2Nvhrv3", nChar=122) returned -1 [0045.171] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\PUB6INTL.DLL.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\1036\\pub6intl.dll.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x210 [0045.172] GetTickCount () returned 0x1145c05 [0045.172] GetTickCount () returned 0x1145c05 [0045.172] GetTickCount () returned 0x1145c05 [0045.172] GetTickCount () returned 0x1145c05 [0045.172] CryptEncrypt (in: hKey=0x4ff5a8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d8ea70*, pdwDataLen=0x2d8eb20*=0x2c, dwBufLen=0x80 | out: pbData=0x2d8ea70*, pdwDataLen=0x2d8eb20*=0x80) returned 1 [0045.172] GetProcessHeap () returned 0x4e0000 [0045.172] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x2800) returned 0x5064d8 [0045.172] ReadFile (in: hFile=0x210, lpBuffer=0x5064d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2d8eb24, lpOverlapped=0x0 | out: lpBuffer=0x5064d8*, lpNumberOfBytesRead=0x2d8eb24*=0x2800, lpOverlapped=0x0) returned 1 [0045.487] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0045.488] WriteFile (in: hFile=0x210, lpBuffer=0x5064d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2d8eb24, lpOverlapped=0x0 | out: lpBuffer=0x5064d8*, lpNumberOfBytesWritten=0x2d8eb24*=0x2800, lpOverlapped=0x0) returned 1 [0045.488] GetProcessHeap () returned 0x4e0000 [0045.488] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x5064d8 | out: hHeap=0x4e0000) returned 1 [0045.488] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0045.488] WriteFile (in: hFile=0x210, lpBuffer=0x4ffe10*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x2d8eb24, lpOverlapped=0x0 | out: lpBuffer=0x4ffe10*, lpNumberOfBytesWritten=0x2d8eb24*=0x300, lpOverlapped=0x0) returned 1 [0045.491] WriteFile (in: hFile=0x210, lpBuffer=0x2d8ea70*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x2d8eb24, lpOverlapped=0x0 | out: lpBuffer=0x2d8ea70*, lpNumberOfBytesWritten=0x2d8eb24*=0x80, lpOverlapped=0x0) returned 1 [0045.491] WriteFile (in: hFile=0x210, lpBuffer=0x186230*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2d8eb24, lpOverlapped=0x0 | out: lpBuffer=0x186230*, lpNumberOfBytesWritten=0x2d8eb24*=0x4, lpOverlapped=0x0) returned 1 [0045.491] CloseHandle (hObject=0x210) returned 1 [0045.492] GetProcessHeap () returned 0x4e0000 [0045.492] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x400) returned 0x543630 [0045.492] wnsprintfW (in: pszDest=0x543630, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\PUB6INTL.DLL.trx_dll_forv_{KNUJ5K}.for") returned 90 [0045.492] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\PUB6INTL.DLL.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\1036\\pub6intl.dll.trx_dll"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\PUB6INTL.DLL.trx_dll_forv_{KNUJ5K}.for" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\1036\\pub6intl.dll.trx_dll_forv_{knuj5k}.for")) returned 1 [0045.492] GetProcessHeap () returned 0x4e0000 [0045.492] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x543630 | out: hHeap=0x4e0000) returned 1 [0045.492] FindNextFileW (in: hFindFile=0x535ba0, lpFindFileData=0x2d8eb60 | out: lpFindFileData=0x2d8eb60*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xa27f6800, ftCreationTime.dwHighDateTime=0x1cac809, ftLastAccessTime.dwLowDateTime=0xef0320d0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xa27f6800, ftLastWriteTime.dwHighDateTime=0x1cac809, nFileSizeHigh=0x0, nFileSizeLow=0x8e160, dwReserved0=0x2d8eba8, dwReserved1=0x771791c9, cFileName="PUB6INTL.REST.trx_dll", cAlternateFileName="PUB6IN~2.TRX")) returned 1 [0045.492] lstrcmpiW (lpString1="PUB6INTL.REST.trx_dll", lpString2="Windows") returned -1 [0045.492] lstrcmpiW (lpString1="PUB6INTL.REST.trx_dll", lpString2="$Recycle.bin") returned 1 [0045.492] lstrcmpiW (lpString1="PUB6INTL.REST.trx_dll", lpString2="System Volume Information") returned -1 [0045.492] lstrcmpiW (lpString1="PUB6INTL.REST.trx_dll", lpString2="Program Files") returned 1 [0045.492] lstrcmpiW (lpString1="PUB6INTL.REST.trx_dll", lpString2="Program Files (x86)") returned 1 [0045.492] wnsprintfW (in: pszDest=0x543228, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\PUB6INTL.REST.trx_dll") returned 73 [0045.492] StrStrIW (lpFirst="PUB6INTL.REST.trx_dll", lpSrch=".for") returned 0x0 [0045.492] lstrcmpW (lpString1="PUB6INTL.REST.trx_dll", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0045.493] lstrcmpW (lpString1="PUB6INTL.REST.trx_dll", lpString2="taridd") returned -1 [0045.493] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\PUB6INTL.REST.trx_dll", lpStr2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\3pRMMVYZl7L6YCH05Qf1aBB2Nvhrv3", nChar=122) returned -1 [0045.493] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\PUB6INTL.REST.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\1036\\pub6intl.rest.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x210 [0045.493] GetTickCount () returned 0x1145d4d [0045.493] GetTickCount () returned 0x1145d4d [0045.493] GetTickCount () returned 0x1145d4d [0045.493] GetTickCount () returned 0x1145d4d [0045.493] CryptEncrypt (in: hKey=0x4ff5a8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d8ea70*, pdwDataLen=0x2d8eb20*=0x2c, dwBufLen=0x80 | out: pbData=0x2d8ea70*, pdwDataLen=0x2d8eb20*=0x80) returned 1 [0045.493] GetProcessHeap () returned 0x4e0000 [0045.493] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x2800) returned 0x5064d8 [0045.493] ReadFile (in: hFile=0x210, lpBuffer=0x5064d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2d8eb24, lpOverlapped=0x0 | out: lpBuffer=0x5064d8*, lpNumberOfBytesRead=0x2d8eb24*=0x2800, lpOverlapped=0x0) returned 1 [0045.495] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0045.495] WriteFile (in: hFile=0x210, lpBuffer=0x5064d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2d8eb24, lpOverlapped=0x0 | out: lpBuffer=0x5064d8*, lpNumberOfBytesWritten=0x2d8eb24*=0x2800, lpOverlapped=0x0) returned 1 [0045.495] GetProcessHeap () returned 0x4e0000 [0045.495] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x5064d8 | out: hHeap=0x4e0000) returned 1 [0045.495] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0045.495] WriteFile (in: hFile=0x210, lpBuffer=0x4ffe10*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x2d8eb24, lpOverlapped=0x0 | out: lpBuffer=0x4ffe10*, lpNumberOfBytesWritten=0x2d8eb24*=0x300, lpOverlapped=0x0) returned 1 [0045.497] WriteFile (in: hFile=0x210, lpBuffer=0x2d8ea70*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x2d8eb24, lpOverlapped=0x0 | out: lpBuffer=0x2d8ea70*, lpNumberOfBytesWritten=0x2d8eb24*=0x80, lpOverlapped=0x0) returned 1 [0045.497] WriteFile (in: hFile=0x210, lpBuffer=0x186230*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2d8eb24, lpOverlapped=0x0 | out: lpBuffer=0x186230*, lpNumberOfBytesWritten=0x2d8eb24*=0x4, lpOverlapped=0x0) returned 1 [0045.497] CloseHandle (hObject=0x210) returned 1 [0045.497] GetProcessHeap () returned 0x4e0000 [0045.497] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x400) returned 0x543630 [0045.497] wnsprintfW (in: pszDest=0x543630, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\PUB6INTL.REST.trx_dll_forv_{KNUJ5K}.for") returned 91 [0045.497] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\PUB6INTL.REST.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\1036\\pub6intl.rest.trx_dll"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\PUB6INTL.REST.trx_dll_forv_{KNUJ5K}.for" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\1036\\pub6intl.rest.trx_dll_forv_{knuj5k}.for")) returned 1 [0045.498] GetProcessHeap () returned 0x4e0000 [0045.498] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x543630 | out: hHeap=0x4e0000) returned 1 [0045.498] FindNextFileW (in: hFindFile=0x535ba0, lpFindFileData=0x2d8eb60 | out: lpFindFileData=0x2d8eb60*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x749d2200, ftCreationTime.dwHighDateTime=0x1cac80f, ftLastAccessTime.dwLowDateTime=0xef0320d0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0x749d2200, ftLastWriteTime.dwHighDateTime=0x1cac80f, nFileSizeHigh=0x0, nFileSizeLow=0x5ab60, dwReserved0=0x2d8eba8, dwReserved1=0x771791c9, cFileName="PUBWZINT.REST.trx_dll", cAlternateFileName="PUBWZI~1.TRX")) returned 1 [0045.498] lstrcmpiW (lpString1="PUBWZINT.REST.trx_dll", lpString2="Windows") returned -1 [0045.498] lstrcmpiW (lpString1="PUBWZINT.REST.trx_dll", lpString2="$Recycle.bin") returned 1 [0045.498] lstrcmpiW (lpString1="PUBWZINT.REST.trx_dll", lpString2="System Volume Information") returned -1 [0045.498] lstrcmpiW (lpString1="PUBWZINT.REST.trx_dll", lpString2="Program Files") returned 1 [0045.498] lstrcmpiW (lpString1="PUBWZINT.REST.trx_dll", lpString2="Program Files (x86)") returned 1 [0045.498] wnsprintfW (in: pszDest=0x543228, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\PUBWZINT.REST.trx_dll") returned 73 [0045.498] StrStrIW (lpFirst="PUBWZINT.REST.trx_dll", lpSrch=".for") returned 0x0 [0045.498] lstrcmpW (lpString1="PUBWZINT.REST.trx_dll", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0045.498] lstrcmpW (lpString1="PUBWZINT.REST.trx_dll", lpString2="taridd") returned -1 [0045.498] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\PUBWZINT.REST.trx_dll", lpStr2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\3pRMMVYZl7L6YCH05Qf1aBB2Nvhrv3", nChar=122) returned -1 [0045.498] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\PUBWZINT.REST.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\1036\\pubwzint.rest.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x210 [0045.499] GetTickCount () returned 0x1145d4d [0045.499] GetTickCount () returned 0x1145d4d [0045.499] GetTickCount () returned 0x1145d4d [0045.499] GetTickCount () returned 0x1145d4d [0045.499] CryptEncrypt (in: hKey=0x4ff5a8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d8ea70*, pdwDataLen=0x2d8eb20*=0x2c, dwBufLen=0x80 | out: pbData=0x2d8ea70*, pdwDataLen=0x2d8eb20*=0x80) returned 1 [0045.499] GetProcessHeap () returned 0x4e0000 [0045.499] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x2800) returned 0x5064d8 [0045.499] ReadFile (in: hFile=0x210, lpBuffer=0x5064d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2d8eb24, lpOverlapped=0x0 | out: lpBuffer=0x5064d8*, lpNumberOfBytesRead=0x2d8eb24*=0x2800, lpOverlapped=0x0) returned 1 [0045.501] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0045.501] WriteFile (in: hFile=0x210, lpBuffer=0x5064d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2d8eb24, lpOverlapped=0x0 | out: lpBuffer=0x5064d8*, lpNumberOfBytesWritten=0x2d8eb24*=0x2800, lpOverlapped=0x0) returned 1 [0045.501] GetProcessHeap () returned 0x4e0000 [0045.501] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x5064d8 | out: hHeap=0x4e0000) returned 1 [0045.501] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0045.501] WriteFile (in: hFile=0x210, lpBuffer=0x4ffe10*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x2d8eb24, lpOverlapped=0x0 | out: lpBuffer=0x4ffe10*, lpNumberOfBytesWritten=0x2d8eb24*=0x300, lpOverlapped=0x0) returned 1 [0045.504] WriteFile (in: hFile=0x210, lpBuffer=0x2d8ea70*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x2d8eb24, lpOverlapped=0x0 | out: lpBuffer=0x2d8ea70*, lpNumberOfBytesWritten=0x2d8eb24*=0x80, lpOverlapped=0x0) returned 1 [0045.504] WriteFile (in: hFile=0x210, lpBuffer=0x186230*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2d8eb24, lpOverlapped=0x0 | out: lpBuffer=0x186230*, lpNumberOfBytesWritten=0x2d8eb24*=0x4, lpOverlapped=0x0) returned 1 [0045.504] CloseHandle (hObject=0x210) returned 1 [0045.504] GetProcessHeap () returned 0x4e0000 [0045.504] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x400) returned 0x543630 [0045.504] wnsprintfW (in: pszDest=0x543630, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\PUBWZINT.REST.trx_dll_forv_{KNUJ5K}.for") returned 91 [0045.504] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\PUBWZINT.REST.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\1036\\pubwzint.rest.trx_dll"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\PUBWZINT.REST.trx_dll_forv_{KNUJ5K}.for" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\1036\\pubwzint.rest.trx_dll_forv_{knuj5k}.for")) returned 1 [0045.505] GetProcessHeap () returned 0x4e0000 [0045.505] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x543630 | out: hHeap=0x4e0000) returned 1 [0045.505] FindNextFileW (in: hFindFile=0x535ba0, lpFindFileData=0x2d8eb60 | out: lpFindFileData=0x2d8eb60*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x6d7a1200, ftCreationTime.dwHighDateTime=0x1cac817, ftLastAccessTime.dwLowDateTime=0xef058230, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0x6d7a1200, ftLastWriteTime.dwHighDateTime=0x1cac817, nFileSizeHigh=0x0, nFileSizeLow=0x3360, dwReserved0=0x2d8eba8, dwReserved1=0x771791c9, cFileName="SGRES.DLL.trx_dll", cAlternateFileName="SGRESD~1.TRX")) returned 1 [0045.505] lstrcmpiW (lpString1="SGRES.DLL.trx_dll", lpString2="Windows") returned -1 [0045.505] lstrcmpiW (lpString1="SGRES.DLL.trx_dll", lpString2="$Recycle.bin") returned 1 [0045.505] lstrcmpiW (lpString1="SGRES.DLL.trx_dll", lpString2="System Volume Information") returned -1 [0045.505] lstrcmpiW (lpString1="SGRES.DLL.trx_dll", lpString2="Program Files") returned 1 [0045.505] lstrcmpiW (lpString1="SGRES.DLL.trx_dll", lpString2="Program Files (x86)") returned 1 [0045.505] wnsprintfW (in: pszDest=0x543228, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\SGRES.DLL.trx_dll") returned 69 [0045.505] StrStrIW (lpFirst="SGRES.DLL.trx_dll", lpSrch=".for") returned 0x0 [0045.505] lstrcmpW (lpString1="SGRES.DLL.trx_dll", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0045.505] lstrcmpW (lpString1="SGRES.DLL.trx_dll", lpString2="taridd") returned -1 [0045.505] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\SGRES.DLL.trx_dll", lpStr2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\3pRMMVYZl7L6YCH05Qf1aBB2Nvhrv3", nChar=122) returned -1 [0045.505] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\SGRES.DLL.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\1036\\sgres.dll.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x210 [0045.506] GetTickCount () returned 0x1145d5d [0045.506] GetTickCount () returned 0x1145d5d [0045.506] GetTickCount () returned 0x1145d5d [0045.506] GetTickCount () returned 0x1145d5d [0045.506] CryptEncrypt (in: hKey=0x4ff5a8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d8ea70*, pdwDataLen=0x2d8eb20*=0x2c, dwBufLen=0x80 | out: pbData=0x2d8ea70*, pdwDataLen=0x2d8eb20*=0x80) returned 1 [0045.506] GetProcessHeap () returned 0x4e0000 [0045.506] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x2800) returned 0x5064d8 [0045.506] ReadFile (in: hFile=0x210, lpBuffer=0x5064d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2d8eb24, lpOverlapped=0x0 | out: lpBuffer=0x5064d8*, lpNumberOfBytesRead=0x2d8eb24*=0x2800, lpOverlapped=0x0) returned 1 [0045.508] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0045.508] WriteFile (in: hFile=0x210, lpBuffer=0x5064d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2d8eb24, lpOverlapped=0x0 | out: lpBuffer=0x5064d8*, lpNumberOfBytesWritten=0x2d8eb24*=0x2800, lpOverlapped=0x0) returned 1 [0045.509] GetProcessHeap () returned 0x4e0000 [0045.509] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x5064d8 | out: hHeap=0x4e0000) returned 1 [0045.509] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0045.509] WriteFile (in: hFile=0x210, lpBuffer=0x4ffe10*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x2d8eb24, lpOverlapped=0x0 | out: lpBuffer=0x4ffe10*, lpNumberOfBytesWritten=0x2d8eb24*=0x300, lpOverlapped=0x0) returned 1 [0045.509] WriteFile (in: hFile=0x210, lpBuffer=0x2d8ea70*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x2d8eb24, lpOverlapped=0x0 | out: lpBuffer=0x2d8ea70*, lpNumberOfBytesWritten=0x2d8eb24*=0x80, lpOverlapped=0x0) returned 1 [0045.509] WriteFile (in: hFile=0x210, lpBuffer=0x186230*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2d8eb24, lpOverlapped=0x0 | out: lpBuffer=0x186230*, lpNumberOfBytesWritten=0x2d8eb24*=0x4, lpOverlapped=0x0) returned 1 [0045.509] CloseHandle (hObject=0x210) returned 1 [0045.509] GetProcessHeap () returned 0x4e0000 [0045.509] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x400) returned 0x543630 [0045.509] wnsprintfW (in: pszDest=0x543630, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\SGRES.DLL.trx_dll_forv_{KNUJ5K}.for") returned 87 [0045.510] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\SGRES.DLL.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\1036\\sgres.dll.trx_dll"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\SGRES.DLL.trx_dll_forv_{KNUJ5K}.for" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\1036\\sgres.dll.trx_dll_forv_{knuj5k}.for")) returned 1 [0045.510] GetProcessHeap () returned 0x4e0000 [0045.510] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x543630 | out: hHeap=0x4e0000) returned 1 [0045.510] FindNextFileW (in: hFindFile=0x535ba0, lpFindFileData=0x2d8eb60 | out: lpFindFileData=0x2d8eb60*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xc8e7d800, ftCreationTime.dwHighDateTime=0x1cac7f6, ftLastAccessTime.dwLowDateTime=0xef058230, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xc8e7d800, ftLastWriteTime.dwHighDateTime=0x1cac7f6, nFileSizeHigh=0x0, nFileSizeLow=0x4160, dwReserved0=0x2d8eba8, dwReserved1=0x771791c9, cFileName="STINTL.DLL.trx_dll", cAlternateFileName="STINTL~1.TRX")) returned 1 [0045.510] lstrcmpiW (lpString1="STINTL.DLL.trx_dll", lpString2="Windows") returned -1 [0045.510] lstrcmpiW (lpString1="STINTL.DLL.trx_dll", lpString2="$Recycle.bin") returned 1 [0045.510] lstrcmpiW (lpString1="STINTL.DLL.trx_dll", lpString2="System Volume Information") returned -1 [0045.510] lstrcmpiW (lpString1="STINTL.DLL.trx_dll", lpString2="Program Files") returned 1 [0045.510] lstrcmpiW (lpString1="STINTL.DLL.trx_dll", lpString2="Program Files (x86)") returned 1 [0045.510] wnsprintfW (in: pszDest=0x543228, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\STINTL.DLL.trx_dll") returned 70 [0045.510] StrStrIW (lpFirst="STINTL.DLL.trx_dll", lpSrch=".for") returned 0x0 [0045.510] lstrcmpW (lpString1="STINTL.DLL.trx_dll", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0045.510] lstrcmpW (lpString1="STINTL.DLL.trx_dll", lpString2="taridd") returned -1 [0045.510] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\STINTL.DLL.trx_dll", lpStr2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\3pRMMVYZl7L6YCH05Qf1aBB2Nvhrv3", nChar=122) returned -1 [0045.510] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\STINTL.DLL.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\1036\\stintl.dll.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x210 [0045.512] GetTickCount () returned 0x1145d5d [0045.513] GetTickCount () returned 0x1145d5d [0045.513] GetTickCount () returned 0x1145d5d [0045.513] GetTickCount () returned 0x1145d5d [0045.513] CryptEncrypt (in: hKey=0x4ff5a8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d8ea70*, pdwDataLen=0x2d8eb20*=0x2c, dwBufLen=0x80 | out: pbData=0x2d8ea70*, pdwDataLen=0x2d8eb20*=0x80) returned 1 [0045.513] GetProcessHeap () returned 0x4e0000 [0045.513] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x2800) returned 0x5064d8 [0045.513] ReadFile (in: hFile=0x210, lpBuffer=0x5064d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2d8eb24, lpOverlapped=0x0 | out: lpBuffer=0x5064d8*, lpNumberOfBytesRead=0x2d8eb24*=0x2800, lpOverlapped=0x0) returned 1 [0045.515] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0045.515] WriteFile (in: hFile=0x210, lpBuffer=0x5064d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2d8eb24, lpOverlapped=0x0 | out: lpBuffer=0x5064d8*, lpNumberOfBytesWritten=0x2d8eb24*=0x2800, lpOverlapped=0x0) returned 1 [0045.515] GetProcessHeap () returned 0x4e0000 [0045.515] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x5064d8 | out: hHeap=0x4e0000) returned 1 [0045.515] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0045.515] WriteFile (in: hFile=0x210, lpBuffer=0x4ffe10*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x2d8eb24, lpOverlapped=0x0 | out: lpBuffer=0x4ffe10*, lpNumberOfBytesWritten=0x2d8eb24*=0x300, lpOverlapped=0x0) returned 1 [0045.515] WriteFile (in: hFile=0x210, lpBuffer=0x2d8ea70*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x2d8eb24, lpOverlapped=0x0 | out: lpBuffer=0x2d8ea70*, lpNumberOfBytesWritten=0x2d8eb24*=0x80, lpOverlapped=0x0) returned 1 [0045.515] WriteFile (in: hFile=0x210, lpBuffer=0x186230*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2d8eb24, lpOverlapped=0x0 | out: lpBuffer=0x186230*, lpNumberOfBytesWritten=0x2d8eb24*=0x4, lpOverlapped=0x0) returned 1 [0045.515] CloseHandle (hObject=0x210) returned 1 [0045.515] GetProcessHeap () returned 0x4e0000 [0045.515] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x400) returned 0x543630 [0045.516] wnsprintfW (in: pszDest=0x543630, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\STINTL.DLL.trx_dll_forv_{KNUJ5K}.for") returned 88 [0045.516] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\STINTL.DLL.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\1036\\stintl.dll.trx_dll"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\STINTL.DLL.trx_dll_forv_{KNUJ5K}.for" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\1036\\stintl.dll.trx_dll_forv_{knuj5k}.for")) returned 1 [0045.516] GetProcessHeap () returned 0x4e0000 [0045.516] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x543630 | out: hHeap=0x4e0000) returned 1 [0045.516] FindNextFileW (in: hFindFile=0x535ba0, lpFindFileData=0x2d8eb60 | out: lpFindFileData=0x2d8eb60*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xbf706700, ftCreationTime.dwHighDateTime=0x1cac81a, ftLastAccessTime.dwLowDateTime=0xef0a44f0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xbf706700, ftLastWriteTime.dwHighDateTime=0x1cac81a, nFileSizeHigh=0x0, nFileSizeLow=0x6960, dwReserved0=0x2d8eba8, dwReserved1=0x771791c9, cFileName="VISBRRES.DLL.trx_dll", cAlternateFileName="VISBRR~1.TRX")) returned 1 [0045.516] lstrcmpiW (lpString1="VISBRRES.DLL.trx_dll", lpString2="Windows") returned -1 [0045.516] lstrcmpiW (lpString1="VISBRRES.DLL.trx_dll", lpString2="$Recycle.bin") returned 1 [0045.516] lstrcmpiW (lpString1="VISBRRES.DLL.trx_dll", lpString2="System Volume Information") returned 1 [0045.516] lstrcmpiW (lpString1="VISBRRES.DLL.trx_dll", lpString2="Program Files") returned 1 [0045.516] lstrcmpiW (lpString1="VISBRRES.DLL.trx_dll", lpString2="Program Files (x86)") returned 1 [0045.516] wnsprintfW (in: pszDest=0x543228, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\VISBRRES.DLL.trx_dll") returned 72 [0045.516] StrStrIW (lpFirst="VISBRRES.DLL.trx_dll", lpSrch=".for") returned 0x0 [0045.516] lstrcmpW (lpString1="VISBRRES.DLL.trx_dll", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0045.516] lstrcmpW (lpString1="VISBRRES.DLL.trx_dll", lpString2="taridd") returned 1 [0045.516] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\VISBRRES.DLL.trx_dll", lpStr2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\3pRMMVYZl7L6YCH05Qf1aBB2Nvhrv3", nChar=122) returned -1 [0045.516] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\VISBRRES.DLL.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\1036\\visbrres.dll.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x210 [0045.517] GetTickCount () returned 0x1145d5d [0045.517] GetTickCount () returned 0x1145d5d [0045.517] GetTickCount () returned 0x1145d5d [0045.517] GetTickCount () returned 0x1145d5d [0045.517] CryptEncrypt (in: hKey=0x4ff5a8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d8ea70*, pdwDataLen=0x2d8eb20*=0x2c, dwBufLen=0x80 | out: pbData=0x2d8ea70*, pdwDataLen=0x2d8eb20*=0x80) returned 1 [0045.517] GetProcessHeap () returned 0x4e0000 [0045.517] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x2800) returned 0x5064d8 [0045.517] ReadFile (in: hFile=0x210, lpBuffer=0x5064d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2d8eb24, lpOverlapped=0x0 | out: lpBuffer=0x5064d8*, lpNumberOfBytesRead=0x2d8eb24*=0x2800, lpOverlapped=0x0) returned 1 [0045.519] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0045.519] WriteFile (in: hFile=0x210, lpBuffer=0x5064d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2d8eb24, lpOverlapped=0x0 | out: lpBuffer=0x5064d8*, lpNumberOfBytesWritten=0x2d8eb24*=0x2800, lpOverlapped=0x0) returned 1 [0045.520] GetProcessHeap () returned 0x4e0000 [0045.520] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x5064d8 | out: hHeap=0x4e0000) returned 1 [0045.520] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0045.520] WriteFile (in: hFile=0x210, lpBuffer=0x4ffe10*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x2d8eb24, lpOverlapped=0x0 | out: lpBuffer=0x4ffe10*, lpNumberOfBytesWritten=0x2d8eb24*=0x300, lpOverlapped=0x0) returned 1 [0045.520] WriteFile (in: hFile=0x210, lpBuffer=0x2d8ea70*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x2d8eb24, lpOverlapped=0x0 | out: lpBuffer=0x2d8ea70*, lpNumberOfBytesWritten=0x2d8eb24*=0x80, lpOverlapped=0x0) returned 1 [0045.520] WriteFile (in: hFile=0x210, lpBuffer=0x186230*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2d8eb24, lpOverlapped=0x0 | out: lpBuffer=0x186230*, lpNumberOfBytesWritten=0x2d8eb24*=0x4, lpOverlapped=0x0) returned 1 [0045.520] CloseHandle (hObject=0x210) returned 1 [0045.520] GetProcessHeap () returned 0x4e0000 [0045.520] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x400) returned 0x543630 [0045.520] wnsprintfW (in: pszDest=0x543630, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\VISBRRES.DLL.trx_dll_forv_{KNUJ5K}.for") returned 90 [0045.520] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\VISBRRES.DLL.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\1036\\visbrres.dll.trx_dll"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\VISBRRES.DLL.trx_dll_forv_{KNUJ5K}.for" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\1036\\visbrres.dll.trx_dll_forv_{knuj5k}.for")) returned 1 [0045.521] GetProcessHeap () returned 0x4e0000 [0045.521] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x543630 | out: hHeap=0x4e0000) returned 1 [0045.521] FindNextFileW (in: hFindFile=0x535ba0, lpFindFileData=0x2d8eb60 | out: lpFindFileData=0x2d8eb60*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x6a315700, ftCreationTime.dwHighDateTime=0x1cac814, ftLastAccessTime.dwLowDateTime=0xef0a44f0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0x6a315700, ftLastWriteTime.dwHighDateTime=0x1cac814, nFileSizeHigh=0x0, nFileSizeLow=0x77560, dwReserved0=0x2d8eba8, dwReserved1=0x771791c9, cFileName="VISINTL.DLL.trx_dll", cAlternateFileName="VISINT~1.TRX")) returned 1 [0045.521] lstrcmpiW (lpString1="VISINTL.DLL.trx_dll", lpString2="Windows") returned -1 [0045.521] lstrcmpiW (lpString1="VISINTL.DLL.trx_dll", lpString2="$Recycle.bin") returned 1 [0045.521] lstrcmpiW (lpString1="VISINTL.DLL.trx_dll", lpString2="System Volume Information") returned 1 [0045.521] lstrcmpiW (lpString1="VISINTL.DLL.trx_dll", lpString2="Program Files") returned 1 [0045.521] lstrcmpiW (lpString1="VISINTL.DLL.trx_dll", lpString2="Program Files (x86)") returned 1 [0045.521] wnsprintfW (in: pszDest=0x543228, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\VISINTL.DLL.trx_dll") returned 71 [0045.521] StrStrIW (lpFirst="VISINTL.DLL.trx_dll", lpSrch=".for") returned 0x0 [0045.521] lstrcmpW (lpString1="VISINTL.DLL.trx_dll", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0045.521] lstrcmpW (lpString1="VISINTL.DLL.trx_dll", lpString2="taridd") returned 1 [0045.521] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\VISINTL.DLL.trx_dll", lpStr2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\3pRMMVYZl7L6YCH05Qf1aBB2Nvhrv3", nChar=122) returned -1 [0045.521] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\VISINTL.DLL.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\1036\\visintl.dll.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x210 [0045.521] GetTickCount () returned 0x1145d6c [0045.521] GetTickCount () returned 0x1145d6c [0045.521] GetTickCount () returned 0x1145d6c [0045.521] GetTickCount () returned 0x1145d6c [0045.521] CryptEncrypt (in: hKey=0x4ff5a8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d8ea70*, pdwDataLen=0x2d8eb20*=0x2c, dwBufLen=0x80 | out: pbData=0x2d8ea70*, pdwDataLen=0x2d8eb20*=0x80) returned 1 [0045.521] GetProcessHeap () returned 0x4e0000 [0045.521] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x2800) returned 0x5064d8 [0045.522] ReadFile (in: hFile=0x210, lpBuffer=0x5064d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2d8eb24, lpOverlapped=0x0 | out: lpBuffer=0x5064d8*, lpNumberOfBytesRead=0x2d8eb24*=0x2800, lpOverlapped=0x0) returned 1 [0045.524] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0045.524] WriteFile (in: hFile=0x210, lpBuffer=0x5064d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2d8eb24, lpOverlapped=0x0 | out: lpBuffer=0x5064d8*, lpNumberOfBytesWritten=0x2d8eb24*=0x2800, lpOverlapped=0x0) returned 1 [0045.524] GetProcessHeap () returned 0x4e0000 [0045.524] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x5064d8 | out: hHeap=0x4e0000) returned 1 [0045.524] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0045.525] WriteFile (in: hFile=0x210, lpBuffer=0x4ffe10*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x2d8eb24, lpOverlapped=0x0 | out: lpBuffer=0x4ffe10*, lpNumberOfBytesWritten=0x2d8eb24*=0x300, lpOverlapped=0x0) returned 1 [0045.527] WriteFile (in: hFile=0x210, lpBuffer=0x2d8ea70*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x2d8eb24, lpOverlapped=0x0 | out: lpBuffer=0x2d8ea70*, lpNumberOfBytesWritten=0x2d8eb24*=0x80, lpOverlapped=0x0) returned 1 [0045.527] WriteFile (in: hFile=0x210, lpBuffer=0x186230*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2d8eb24, lpOverlapped=0x0 | out: lpBuffer=0x186230*, lpNumberOfBytesWritten=0x2d8eb24*=0x4, lpOverlapped=0x0) returned 1 [0045.527] CloseHandle (hObject=0x210) returned 1 [0045.527] GetProcessHeap () returned 0x4e0000 [0045.527] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x400) returned 0x543630 [0045.527] wnsprintfW (in: pszDest=0x543630, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\VISINTL.DLL.trx_dll_forv_{KNUJ5K}.for") returned 89 [0045.527] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\VISINTL.DLL.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\1036\\visintl.dll.trx_dll"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\VISINTL.DLL.trx_dll_forv_{KNUJ5K}.for" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\1036\\visintl.dll.trx_dll_forv_{knuj5k}.for")) returned 1 [0045.528] GetProcessHeap () returned 0x4e0000 [0045.528] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x543630 | out: hHeap=0x4e0000) returned 1 [0045.528] FindNextFileW (in: hFindFile=0x535ba0, lpFindFileData=0x2d8eb60 | out: lpFindFileData=0x2d8eb60*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xcb31c100, ftCreationTime.dwHighDateTime=0x1cacd25, ftLastAccessTime.dwLowDateTime=0xef0ca650, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xcb31c100, ftLastWriteTime.dwHighDateTime=0x1cacd25, nFileSizeHigh=0x0, nFileSizeLow=0x25b60, dwReserved0=0x2d8eba8, dwReserved1=0x771791c9, cFileName="WWINTL.DLL.trx_dll", cAlternateFileName="WWINTL~1.TRX")) returned 1 [0045.528] lstrcmpiW (lpString1="WWINTL.DLL.trx_dll", lpString2="Windows") returned 1 [0045.528] lstrcmpiW (lpString1="WWINTL.DLL.trx_dll", lpString2="$Recycle.bin") returned 1 [0045.528] lstrcmpiW (lpString1="WWINTL.DLL.trx_dll", lpString2="System Volume Information") returned 1 [0045.528] lstrcmpiW (lpString1="WWINTL.DLL.trx_dll", lpString2="Program Files") returned 1 [0045.528] lstrcmpiW (lpString1="WWINTL.DLL.trx_dll", lpString2="Program Files (x86)") returned 1 [0045.528] wnsprintfW (in: pszDest=0x543228, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\WWINTL.DLL.trx_dll") returned 70 [0045.528] StrStrIW (lpFirst="WWINTL.DLL.trx_dll", lpSrch=".for") returned 0x0 [0045.528] lstrcmpW (lpString1="WWINTL.DLL.trx_dll", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0045.528] lstrcmpW (lpString1="WWINTL.DLL.trx_dll", lpString2="taridd") returned 1 [0045.528] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\WWINTL.DLL.trx_dll", lpStr2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\3pRMMVYZl7L6YCH05Qf1aBB2Nvhrv3", nChar=122) returned -1 [0045.528] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\WWINTL.DLL.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\1036\\wwintl.dll.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x210 [0045.528] GetTickCount () returned 0x1145d6c [0045.528] GetTickCount () returned 0x1145d6c [0045.528] GetTickCount () returned 0x1145d6c [0045.528] GetTickCount () returned 0x1145d6c [0045.528] CryptEncrypt (in: hKey=0x4ff5a8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d8ea70*, pdwDataLen=0x2d8eb20*=0x2c, dwBufLen=0x80 | out: pbData=0x2d8ea70*, pdwDataLen=0x2d8eb20*=0x80) returned 1 [0045.529] GetProcessHeap () returned 0x4e0000 [0045.529] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x2800) returned 0x5064d8 [0045.529] ReadFile (in: hFile=0x210, lpBuffer=0x5064d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2d8eb24, lpOverlapped=0x0 | out: lpBuffer=0x5064d8*, lpNumberOfBytesRead=0x2d8eb24*=0x2800, lpOverlapped=0x0) returned 1 [0045.530] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0045.530] WriteFile (in: hFile=0x210, lpBuffer=0x5064d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2d8eb24, lpOverlapped=0x0 | out: lpBuffer=0x5064d8*, lpNumberOfBytesWritten=0x2d8eb24*=0x2800, lpOverlapped=0x0) returned 1 [0045.530] GetProcessHeap () returned 0x4e0000 [0045.530] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x5064d8 | out: hHeap=0x4e0000) returned 1 [0045.530] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0045.531] WriteFile (in: hFile=0x210, lpBuffer=0x4ffe10*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x2d8eb24, lpOverlapped=0x0 | out: lpBuffer=0x4ffe10*, lpNumberOfBytesWritten=0x2d8eb24*=0x300, lpOverlapped=0x0) returned 1 [0045.532] WriteFile (in: hFile=0x210, lpBuffer=0x2d8ea70*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x2d8eb24, lpOverlapped=0x0 | out: lpBuffer=0x2d8ea70*, lpNumberOfBytesWritten=0x2d8eb24*=0x80, lpOverlapped=0x0) returned 1 [0045.532] WriteFile (in: hFile=0x210, lpBuffer=0x186230*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2d8eb24, lpOverlapped=0x0 | out: lpBuffer=0x186230*, lpNumberOfBytesWritten=0x2d8eb24*=0x4, lpOverlapped=0x0) returned 1 [0045.532] CloseHandle (hObject=0x210) returned 1 [0045.532] GetProcessHeap () returned 0x4e0000 [0045.532] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x400) returned 0x543630 [0045.532] wnsprintfW (in: pszDest=0x543630, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\WWINTL.DLL.trx_dll_forv_{KNUJ5K}.for") returned 88 [0045.532] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\WWINTL.DLL.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\1036\\wwintl.dll.trx_dll"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\WWINTL.DLL.trx_dll_forv_{KNUJ5K}.for" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\1036\\wwintl.dll.trx_dll_forv_{knuj5k}.for")) returned 1 [0045.533] GetProcessHeap () returned 0x4e0000 [0045.533] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x543630 | out: hHeap=0x4e0000) returned 1 [0045.533] FindNextFileW (in: hFindFile=0x535ba0, lpFindFileData=0x2d8eb60 | out: lpFindFileData=0x2d8eb60*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xcb31c100, ftCreationTime.dwHighDateTime=0x1cacd25, ftLastAccessTime.dwLowDateTime=0xef0f07b0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xcb31c100, ftLastWriteTime.dwHighDateTime=0x1cacd25, nFileSizeHigh=0x0, nFileSizeLow=0x115b60, dwReserved0=0x2d8eba8, dwReserved1=0x771791c9, cFileName="WWINTL.REST.trx_dll", cAlternateFileName="WWINTL~2.TRX")) returned 1 [0045.533] lstrcmpiW (lpString1="WWINTL.REST.trx_dll", lpString2="Windows") returned 1 [0045.533] lstrcmpiW (lpString1="WWINTL.REST.trx_dll", lpString2="$Recycle.bin") returned 1 [0045.533] lstrcmpiW (lpString1="WWINTL.REST.trx_dll", lpString2="System Volume Information") returned 1 [0045.533] lstrcmpiW (lpString1="WWINTL.REST.trx_dll", lpString2="Program Files") returned 1 [0045.533] lstrcmpiW (lpString1="WWINTL.REST.trx_dll", lpString2="Program Files (x86)") returned 1 [0045.533] wnsprintfW (in: pszDest=0x543228, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\WWINTL.REST.trx_dll") returned 71 [0045.533] StrStrIW (lpFirst="WWINTL.REST.trx_dll", lpSrch=".for") returned 0x0 [0045.533] lstrcmpW (lpString1="WWINTL.REST.trx_dll", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0045.533] lstrcmpW (lpString1="WWINTL.REST.trx_dll", lpString2="taridd") returned 1 [0045.533] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\WWINTL.REST.trx_dll", lpStr2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\3pRMMVYZl7L6YCH05Qf1aBB2Nvhrv3", nChar=122) returned -1 [0045.533] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\WWINTL.REST.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\1036\\wwintl.rest.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x210 [0045.533] GetTickCount () returned 0x1145d6c [0045.533] GetTickCount () returned 0x1145d6c [0045.533] GetTickCount () returned 0x1145d6c [0045.533] GetTickCount () returned 0x1145d6c [0045.533] CryptEncrypt (in: hKey=0x4ff5a8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d8ea70*, pdwDataLen=0x2d8eb20*=0x2c, dwBufLen=0x80 | out: pbData=0x2d8ea70*, pdwDataLen=0x2d8eb20*=0x80) returned 1 [0045.533] GetProcessHeap () returned 0x4e0000 [0045.533] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x2800) returned 0x5064d8 [0045.533] ReadFile (in: hFile=0x210, lpBuffer=0x5064d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2d8eb24, lpOverlapped=0x0 | out: lpBuffer=0x5064d8*, lpNumberOfBytesRead=0x2d8eb24*=0x2800, lpOverlapped=0x0) returned 1 [0045.536] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0045.536] WriteFile (in: hFile=0x210, lpBuffer=0x5064d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2d8eb24, lpOverlapped=0x0 | out: lpBuffer=0x5064d8*, lpNumberOfBytesWritten=0x2d8eb24*=0x2800, lpOverlapped=0x0) returned 1 [0045.551] GetProcessHeap () returned 0x4e0000 [0045.551] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x5064d8 | out: hHeap=0x4e0000) returned 1 [0045.551] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0045.552] WriteFile (in: hFile=0x210, lpBuffer=0x4ffe10*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x2d8eb24, lpOverlapped=0x0 | out: lpBuffer=0x4ffe10*, lpNumberOfBytesWritten=0x2d8eb24*=0x300, lpOverlapped=0x0) returned 1 [0045.554] WriteFile (in: hFile=0x210, lpBuffer=0x2d8ea70*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x2d8eb24, lpOverlapped=0x0 | out: lpBuffer=0x2d8ea70*, lpNumberOfBytesWritten=0x2d8eb24*=0x80, lpOverlapped=0x0) returned 1 [0045.554] WriteFile (in: hFile=0x210, lpBuffer=0x186230*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2d8eb24, lpOverlapped=0x0 | out: lpBuffer=0x186230*, lpNumberOfBytesWritten=0x2d8eb24*=0x4, lpOverlapped=0x0) returned 1 [0045.554] CloseHandle (hObject=0x210) returned 1 [0045.554] GetProcessHeap () returned 0x4e0000 [0045.554] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x400) returned 0x543630 [0045.554] wnsprintfW (in: pszDest=0x543630, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\WWINTL.REST.trx_dll_forv_{KNUJ5K}.for") returned 89 [0045.555] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\WWINTL.REST.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\1036\\wwintl.rest.trx_dll"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\WWINTL.REST.trx_dll_forv_{KNUJ5K}.for" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\1036\\wwintl.rest.trx_dll_forv_{knuj5k}.for")) returned 1 [0045.555] GetProcessHeap () returned 0x4e0000 [0045.555] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x543630 | out: hHeap=0x4e0000) returned 1 [0045.555] FindNextFileW (in: hFindFile=0x535ba0, lpFindFileData=0x2d8eb60 | out: lpFindFileData=0x2d8eb60*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x6b688100, ftCreationTime.dwHighDateTime=0x1cac820, ftLastAccessTime.dwLowDateTime=0xef0f07b0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0x6b688100, ftLastWriteTime.dwHighDateTime=0x1cac820, nFileSizeHigh=0x0, nFileSizeLow=0x25360, dwReserved0=0x2d8eba8, dwReserved1=0x771791c9, cFileName="XLINTL32.DLL.trx_dll", cAlternateFileName="XLINTL~1.TRX")) returned 1 [0045.555] lstrcmpiW (lpString1="XLINTL32.DLL.trx_dll", lpString2="Windows") returned 1 [0045.555] lstrcmpiW (lpString1="XLINTL32.DLL.trx_dll", lpString2="$Recycle.bin") returned 1 [0045.555] lstrcmpiW (lpString1="XLINTL32.DLL.trx_dll", lpString2="System Volume Information") returned 1 [0045.555] lstrcmpiW (lpString1="XLINTL32.DLL.trx_dll", lpString2="Program Files") returned 1 [0045.555] lstrcmpiW (lpString1="XLINTL32.DLL.trx_dll", lpString2="Program Files (x86)") returned 1 [0045.555] wnsprintfW (in: pszDest=0x543228, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\XLINTL32.DLL.trx_dll") returned 72 [0045.555] StrStrIW (lpFirst="XLINTL32.DLL.trx_dll", lpSrch=".for") returned 0x0 [0045.555] lstrcmpW (lpString1="XLINTL32.DLL.trx_dll", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0045.555] lstrcmpW (lpString1="XLINTL32.DLL.trx_dll", lpString2="taridd") returned 1 [0045.555] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\XLINTL32.DLL.trx_dll", lpStr2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\3pRMMVYZl7L6YCH05Qf1aBB2Nvhrv3", nChar=122) returned -1 [0045.555] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\XLINTL32.DLL.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\1036\\xlintl32.dll.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x210 [0045.556] GetTickCount () returned 0x1145d8b [0045.556] GetTickCount () returned 0x1145d8b [0045.556] GetTickCount () returned 0x1145d8b [0045.556] GetTickCount () returned 0x1145d8b [0045.557] CryptEncrypt (in: hKey=0x4ff5a8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d8ea70*, pdwDataLen=0x2d8eb20*=0x2c, dwBufLen=0x80 | out: pbData=0x2d8ea70*, pdwDataLen=0x2d8eb20*=0x80) returned 1 [0045.557] GetProcessHeap () returned 0x4e0000 [0045.557] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x2800) returned 0x5064d8 [0045.557] ReadFile (in: hFile=0x210, lpBuffer=0x5064d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2d8eb24, lpOverlapped=0x0 | out: lpBuffer=0x5064d8*, lpNumberOfBytesRead=0x2d8eb24*=0x2800, lpOverlapped=0x0) returned 1 [0045.558] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0045.558] WriteFile (in: hFile=0x210, lpBuffer=0x5064d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2d8eb24, lpOverlapped=0x0 | out: lpBuffer=0x5064d8*, lpNumberOfBytesWritten=0x2d8eb24*=0x2800, lpOverlapped=0x0) returned 1 [0045.558] GetProcessHeap () returned 0x4e0000 [0045.558] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x5064d8 | out: hHeap=0x4e0000) returned 1 [0045.558] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0045.558] WriteFile (in: hFile=0x210, lpBuffer=0x4ffe10*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x2d8eb24, lpOverlapped=0x0 | out: lpBuffer=0x4ffe10*, lpNumberOfBytesWritten=0x2d8eb24*=0x300, lpOverlapped=0x0) returned 1 [0045.560] WriteFile (in: hFile=0x210, lpBuffer=0x2d8ea70*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x2d8eb24, lpOverlapped=0x0 | out: lpBuffer=0x2d8ea70*, lpNumberOfBytesWritten=0x2d8eb24*=0x80, lpOverlapped=0x0) returned 1 [0045.560] WriteFile (in: hFile=0x210, lpBuffer=0x186230*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2d8eb24, lpOverlapped=0x0 | out: lpBuffer=0x186230*, lpNumberOfBytesWritten=0x2d8eb24*=0x4, lpOverlapped=0x0) returned 1 [0045.560] CloseHandle (hObject=0x210) returned 1 [0045.560] GetProcessHeap () returned 0x4e0000 [0045.560] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x400) returned 0x543630 [0045.560] wnsprintfW (in: pszDest=0x543630, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\XLINTL32.DLL.trx_dll_forv_{KNUJ5K}.for") returned 90 [0045.560] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\XLINTL32.DLL.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\1036\\xlintl32.dll.trx_dll"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\XLINTL32.DLL.trx_dll_forv_{KNUJ5K}.for" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\1036\\xlintl32.dll.trx_dll_forv_{knuj5k}.for")) returned 1 [0045.560] GetProcessHeap () returned 0x4e0000 [0045.560] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x543630 | out: hHeap=0x4e0000) returned 1 [0045.561] FindNextFileW (in: hFindFile=0x535ba0, lpFindFileData=0x2d8eb60 | out: lpFindFileData=0x2d8eb60*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x6a375400, ftCreationTime.dwHighDateTime=0x1cac820, ftLastAccessTime.dwLowDateTime=0xef116910, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0x6a375400, ftLastWriteTime.dwHighDateTime=0x1cac820, nFileSizeHigh=0x0, nFileSizeLow=0x137960, dwReserved0=0x2d8eba8, dwReserved1=0x771791c9, cFileName="XLINTL32.REST.trx_dll", cAlternateFileName="XLINTL~2.TRX")) returned 1 [0045.561] lstrcmpiW (lpString1="XLINTL32.REST.trx_dll", lpString2="Windows") returned 1 [0045.561] lstrcmpiW (lpString1="XLINTL32.REST.trx_dll", lpString2="$Recycle.bin") returned 1 [0045.561] lstrcmpiW (lpString1="XLINTL32.REST.trx_dll", lpString2="System Volume Information") returned 1 [0045.561] lstrcmpiW (lpString1="XLINTL32.REST.trx_dll", lpString2="Program Files") returned 1 [0045.561] lstrcmpiW (lpString1="XLINTL32.REST.trx_dll", lpString2="Program Files (x86)") returned 1 [0045.561] wnsprintfW (in: pszDest=0x543228, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\XLINTL32.REST.trx_dll") returned 73 [0045.561] StrStrIW (lpFirst="XLINTL32.REST.trx_dll", lpSrch=".for") returned 0x0 [0045.561] lstrcmpW (lpString1="XLINTL32.REST.trx_dll", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0045.561] lstrcmpW (lpString1="XLINTL32.REST.trx_dll", lpString2="taridd") returned 1 [0045.561] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\XLINTL32.REST.trx_dll", lpStr2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\3pRMMVYZl7L6YCH05Qf1aBB2Nvhrv3", nChar=122) returned -1 [0045.561] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\XLINTL32.REST.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\1036\\xlintl32.rest.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x210 [0045.561] GetTickCount () returned 0x1145d8b [0045.561] GetTickCount () returned 0x1145d8b [0045.561] GetTickCount () returned 0x1145d8b [0045.561] GetTickCount () returned 0x1145d8b [0045.561] CryptEncrypt (in: hKey=0x4ff5a8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d8ea70*, pdwDataLen=0x2d8eb20*=0x2c, dwBufLen=0x80 | out: pbData=0x2d8ea70*, pdwDataLen=0x2d8eb20*=0x80) returned 1 [0045.561] GetProcessHeap () returned 0x4e0000 [0045.561] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x2800) returned 0x5064d8 [0045.561] ReadFile (in: hFile=0x210, lpBuffer=0x5064d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2d8eb24, lpOverlapped=0x0 | out: lpBuffer=0x5064d8*, lpNumberOfBytesRead=0x2d8eb24*=0x2800, lpOverlapped=0x0) returned 1 [0045.570] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0045.571] WriteFile (in: hFile=0x210, lpBuffer=0x5064d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2d8eb24, lpOverlapped=0x0 | out: lpBuffer=0x5064d8*, lpNumberOfBytesWritten=0x2d8eb24*=0x2800, lpOverlapped=0x0) returned 1 [0045.572] GetProcessHeap () returned 0x4e0000 [0045.572] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x5064d8 | out: hHeap=0x4e0000) returned 1 [0045.572] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0045.572] WriteFile (in: hFile=0x210, lpBuffer=0x4ffe10*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x2d8eb24, lpOverlapped=0x0 | out: lpBuffer=0x4ffe10*, lpNumberOfBytesWritten=0x2d8eb24*=0x300, lpOverlapped=0x0) returned 1 [0045.578] WriteFile (in: hFile=0x210, lpBuffer=0x2d8ea70*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x2d8eb24, lpOverlapped=0x0 | out: lpBuffer=0x2d8ea70*, lpNumberOfBytesWritten=0x2d8eb24*=0x80, lpOverlapped=0x0) returned 1 [0045.578] WriteFile (in: hFile=0x210, lpBuffer=0x186230*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2d8eb24, lpOverlapped=0x0 | out: lpBuffer=0x186230*, lpNumberOfBytesWritten=0x2d8eb24*=0x4, lpOverlapped=0x0) returned 1 [0045.578] CloseHandle (hObject=0x210) returned 1 [0045.578] GetProcessHeap () returned 0x4e0000 [0045.578] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x400) returned 0x543630 [0045.578] wnsprintfW (in: pszDest=0x543630, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\XLINTL32.REST.trx_dll_forv_{KNUJ5K}.for") returned 91 [0045.578] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\XLINTL32.REST.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\1036\\xlintl32.rest.trx_dll"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\XLINTL32.REST.trx_dll_forv_{KNUJ5K}.for" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\1036\\xlintl32.rest.trx_dll_forv_{knuj5k}.for")) returned 1 [0045.579] GetProcessHeap () returned 0x4e0000 [0045.579] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x543630 | out: hHeap=0x4e0000) returned 1 [0045.579] FindNextFileW (in: hFindFile=0x535ba0, lpFindFileData=0x2d8eb60 | out: lpFindFileData=0x2d8eb60*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xfe092000, ftCreationTime.dwHighDateTime=0x1cac820, ftLastAccessTime.dwLowDateTime=0xef116910, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xfe092000, ftLastWriteTime.dwHighDateTime=0x1cac820, nFileSizeHigh=0x0, nFileSizeLow=0x3d60, dwReserved0=0x2d8eba8, dwReserved1=0x771791c9, cFileName="XLSLICER.DLL.trx_dll", cAlternateFileName="XLSLIC~1.TRX")) returned 1 [0045.579] lstrcmpiW (lpString1="XLSLICER.DLL.trx_dll", lpString2="Windows") returned 1 [0045.579] lstrcmpiW (lpString1="XLSLICER.DLL.trx_dll", lpString2="$Recycle.bin") returned 1 [0045.579] lstrcmpiW (lpString1="XLSLICER.DLL.trx_dll", lpString2="System Volume Information") returned 1 [0045.579] lstrcmpiW (lpString1="XLSLICER.DLL.trx_dll", lpString2="Program Files") returned 1 [0045.579] lstrcmpiW (lpString1="XLSLICER.DLL.trx_dll", lpString2="Program Files (x86)") returned 1 [0045.579] wnsprintfW (in: pszDest=0x543228, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\XLSLICER.DLL.trx_dll") returned 72 [0045.579] StrStrIW (lpFirst="XLSLICER.DLL.trx_dll", lpSrch=".for") returned 0x0 [0045.579] lstrcmpW (lpString1="XLSLICER.DLL.trx_dll", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0045.579] lstrcmpW (lpString1="XLSLICER.DLL.trx_dll", lpString2="taridd") returned 1 [0045.579] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\XLSLICER.DLL.trx_dll", lpStr2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\3pRMMVYZl7L6YCH05Qf1aBB2Nvhrv3", nChar=122) returned -1 [0045.579] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\XLSLICER.DLL.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\1036\\xlslicer.dll.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x210 [0045.579] GetTickCount () returned 0x1145d9b [0045.579] GetTickCount () returned 0x1145d9b [0045.579] GetTickCount () returned 0x1145d9b [0045.579] GetTickCount () returned 0x1145d9b [0045.579] CryptEncrypt (in: hKey=0x4ff5a8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d8ea70*, pdwDataLen=0x2d8eb20*=0x2c, dwBufLen=0x80 | out: pbData=0x2d8ea70*, pdwDataLen=0x2d8eb20*=0x80) returned 1 [0045.580] GetProcessHeap () returned 0x4e0000 [0045.580] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x2800) returned 0x5064d8 [0045.580] ReadFile (in: hFile=0x210, lpBuffer=0x5064d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2d8eb24, lpOverlapped=0x0 | out: lpBuffer=0x5064d8*, lpNumberOfBytesRead=0x2d8eb24*=0x2800, lpOverlapped=0x0) returned 1 [0045.582] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0045.582] WriteFile (in: hFile=0x210, lpBuffer=0x5064d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2d8eb24, lpOverlapped=0x0 | out: lpBuffer=0x5064d8*, lpNumberOfBytesWritten=0x2d8eb24*=0x2800, lpOverlapped=0x0) returned 1 [0045.582] GetProcessHeap () returned 0x4e0000 [0045.583] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x5064d8 | out: hHeap=0x4e0000) returned 1 [0045.583] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0045.583] WriteFile (in: hFile=0x210, lpBuffer=0x4ffe10*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x2d8eb24, lpOverlapped=0x0 | out: lpBuffer=0x4ffe10*, lpNumberOfBytesWritten=0x2d8eb24*=0x300, lpOverlapped=0x0) returned 1 [0045.583] WriteFile (in: hFile=0x210, lpBuffer=0x2d8ea70*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x2d8eb24, lpOverlapped=0x0 | out: lpBuffer=0x2d8ea70*, lpNumberOfBytesWritten=0x2d8eb24*=0x80, lpOverlapped=0x0) returned 1 [0045.583] WriteFile (in: hFile=0x210, lpBuffer=0x186230*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2d8eb24, lpOverlapped=0x0 | out: lpBuffer=0x186230*, lpNumberOfBytesWritten=0x2d8eb24*=0x4, lpOverlapped=0x0) returned 1 [0045.583] CloseHandle (hObject=0x210) returned 1 [0045.583] GetProcessHeap () returned 0x4e0000 [0045.583] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x400) returned 0x543630 [0045.583] wnsprintfW (in: pszDest=0x543630, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\XLSLICER.DLL.trx_dll_forv_{KNUJ5K}.for") returned 90 [0045.583] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\XLSLICER.DLL.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\1036\\xlslicer.dll.trx_dll"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\XLSLICER.DLL.trx_dll_forv_{KNUJ5K}.for" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\1036\\xlslicer.dll.trx_dll_forv_{knuj5k}.for")) returned 1 [0045.584] GetProcessHeap () returned 0x4e0000 [0045.584] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x543630 | out: hHeap=0x4e0000) returned 1 [0045.584] FindNextFileW (in: hFindFile=0x535ba0, lpFindFileData=0x2d8eb60 | out: lpFindFileData=0x2d8eb60*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xfe092000, ftCreationTime.dwHighDateTime=0x1cac820, ftLastAccessTime.dwLowDateTime=0xef116910, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xfe092000, ftLastWriteTime.dwHighDateTime=0x1cac820, nFileSizeHigh=0x0, nFileSizeLow=0x3d60, dwReserved0=0x2d8eba8, dwReserved1=0x771791c9, cFileName="XLSLICER.DLL.trx_dll", cAlternateFileName="XLSLIC~1.TRX")) returned 0 [0045.584] FindClose (in: hFindFile=0x535ba0 | out: hFindFile=0x535ba0) returned 1 [0045.584] wnsprintfW (in: pszDest=0x543228, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 83 [0045.584] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\1036\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x204 [0045.586] WriteFile (in: hFile=0x204, lpBuffer=0x186440*, nNumberOfBytesToWrite=0x2b0, lpNumberOfBytesWritten=0x2d8eb2c, lpOverlapped=0x0 | out: lpBuffer=0x186440*, lpNumberOfBytesWritten=0x2d8eb2c*=0x2b0, lpOverlapped=0x0) returned 1 [0045.588] CloseHandle (hObject=0x204) returned 1 [0045.588] GetProcessHeap () returned 0x4e0000 [0045.588] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x543228 | out: hHeap=0x4e0000) returned 1 [0045.588] FindNextFileW (in: hFindFile=0x535b60, lpFindFileData=0x2d8ede8 | out: lpFindFileData=0x2d8ede8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xeed38550, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xef116910, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xef116910, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5306c8, dwReserved1=0x0, cFileName="3082", cAlternateFileName="")) returned 1 [0045.588] lstrcmpiW (lpString1="3082", lpString2="Windows") returned -1 [0045.588] lstrcmpiW (lpString1="3082", lpString2="$Recycle.bin") returned 1 [0045.588] lstrcmpiW (lpString1="3082", lpString2="System Volume Information") returned -1 [0045.588] lstrcmpiW (lpString1="3082", lpString2="Program Files") returned -1 [0045.588] lstrcmpiW (lpString1="3082", lpString2="Program Files (x86)") returned -1 [0045.588] wnsprintfW (in: pszDest=0x5306d0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082") returned 51 [0045.588] lstrcmpW (lpString1="3082", lpString2=".") returned 1 [0045.588] lstrcmpW (lpString1="3082", lpString2="..") returned 1 [0045.588] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0045.588] GetProcessHeap () returned 0x4e0000 [0045.588] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x400) returned 0x543228 [0045.588] wnsprintfW (in: pszDest=0x543228, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\*") returned 53 [0045.588] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\*", lpFindFileData=0x2d8eb60 | out: lpFindFileData=0x2d8eb60*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xeed38550, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xef116910, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xef116910, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x2d8eba8, dwReserved1=0x771791c9, cFileName=".", cAlternateFileName="")) returned 0x535ba0 [0045.590] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0045.590] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0045.590] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0045.590] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0045.590] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0045.590] wnsprintfW (in: pszDest=0x543228, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\.") returned 53 [0045.590] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0045.590] FindNextFileW (in: hFindFile=0x535ba0, lpFindFileData=0x2d8eb60 | out: lpFindFileData=0x2d8eb60*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xeed38550, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xef116910, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xef116910, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x2d8eba8, dwReserved1=0x771791c9, cFileName="..", cAlternateFileName="")) returned 1 [0045.591] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0045.591] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0045.591] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0045.591] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0045.591] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0045.591] wnsprintfW (in: pszDest=0x543228, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\..") returned 54 [0045.591] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0045.591] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0045.591] FindNextFileW (in: hFindFile=0x535ba0, lpFindFileData=0x2d8eb60 | out: lpFindFileData=0x2d8eb60*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x302da400, ftCreationTime.dwHighDateTime=0x1caca12, ftLastAccessTime.dwLowDateTime=0xeed38550, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0x302da400, ftLastWriteTime.dwHighDateTime=0x1caca12, nFileSizeHigh=0x0, nFileSizeLow=0x3760, dwReserved0=0x2d8eba8, dwReserved1=0x771791c9, cFileName="ENVELOPR.DLL.trx_dll", cAlternateFileName="ENVELO~1.TRX")) returned 1 [0045.591] lstrcmpiW (lpString1="ENVELOPR.DLL.trx_dll", lpString2="Windows") returned -1 [0045.591] lstrcmpiW (lpString1="ENVELOPR.DLL.trx_dll", lpString2="$Recycle.bin") returned 1 [0045.591] lstrcmpiW (lpString1="ENVELOPR.DLL.trx_dll", lpString2="System Volume Information") returned -1 [0045.591] lstrcmpiW (lpString1="ENVELOPR.DLL.trx_dll", lpString2="Program Files") returned -1 [0045.591] lstrcmpiW (lpString1="ENVELOPR.DLL.trx_dll", lpString2="Program Files (x86)") returned -1 [0045.591] wnsprintfW (in: pszDest=0x543228, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\ENVELOPR.DLL.trx_dll") returned 72 [0045.591] StrStrIW (lpFirst="ENVELOPR.DLL.trx_dll", lpSrch=".for") returned 0x0 [0045.591] lstrcmpW (lpString1="ENVELOPR.DLL.trx_dll", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0045.591] lstrcmpW (lpString1="ENVELOPR.DLL.trx_dll", lpString2="taridd") returned -1 [0045.591] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\ENVELOPR.DLL.trx_dll", lpStr2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\3pRMMVYZl7L6YCH05Qf1aBB2Nvhrv3", nChar=122) returned -1 [0045.591] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\ENVELOPR.DLL.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\3082\\envelopr.dll.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x210 [0045.596] GetTickCount () returned 0x1145dab [0045.597] GetTickCount () returned 0x1145dab [0045.597] GetTickCount () returned 0x1145df9 [0045.664] GetTickCount () returned 0x1145df9 [0045.665] CryptEncrypt (in: hKey=0x4ff5a8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d8ea70*, pdwDataLen=0x2d8eb20*=0x2c, dwBufLen=0x80 | out: pbData=0x2d8ea70*, pdwDataLen=0x2d8eb20*=0x80) returned 1 [0045.668] GetProcessHeap () returned 0x4e0000 [0045.668] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x2800) returned 0x5064d8 [0045.669] ReadFile (in: hFile=0x210, lpBuffer=0x5064d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2d8eb24, lpOverlapped=0x0 | out: lpBuffer=0x5064d8*, lpNumberOfBytesRead=0x2d8eb24*=0x2800, lpOverlapped=0x0) returned 1 [0045.683] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0045.685] WriteFile (in: hFile=0x210, lpBuffer=0x5064d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2d8eb24, lpOverlapped=0x0 | out: lpBuffer=0x5064d8*, lpNumberOfBytesWritten=0x2d8eb24*=0x2800, lpOverlapped=0x0) returned 1 [0045.687] GetProcessHeap () returned 0x4e0000 [0045.687] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x5064d8 | out: hHeap=0x4e0000) returned 1 [0045.688] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0045.690] WriteFile (in: hFile=0x210, lpBuffer=0x4ffe10*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x2d8eb24, lpOverlapped=0x0 | out: lpBuffer=0x4ffe10*, lpNumberOfBytesWritten=0x2d8eb24*=0x300, lpOverlapped=0x0) returned 1 [0045.692] WriteFile (in: hFile=0x210, lpBuffer=0x2d8ea70*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x2d8eb24, lpOverlapped=0x0 | out: lpBuffer=0x2d8ea70*, lpNumberOfBytesWritten=0x2d8eb24*=0x80, lpOverlapped=0x0) returned 1 [0045.693] WriteFile (in: hFile=0x210, lpBuffer=0x186230*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2d8eb24, lpOverlapped=0x0 | out: lpBuffer=0x186230*, lpNumberOfBytesWritten=0x2d8eb24*=0x4, lpOverlapped=0x0) returned 1 [0045.695] CloseHandle (hObject=0x210) returned 1 [0045.699] GetProcessHeap () returned 0x4e0000 [0045.699] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x400) returned 0x543630 [0045.700] wnsprintfW (in: pszDest=0x543630, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\ENVELOPR.DLL.trx_dll_forv_{KNUJ5K}.for") returned 90 [0045.701] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\ENVELOPR.DLL.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\3082\\envelopr.dll.trx_dll"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\ENVELOPR.DLL.trx_dll_forv_{KNUJ5K}.for" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\3082\\envelopr.dll.trx_dll_forv_{knuj5k}.for")) returned 1 [0045.711] GetProcessHeap () returned 0x4e0000 [0045.711] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x543630 | out: hHeap=0x4e0000) returned 1 [0045.712] FindNextFileW (in: hFindFile=0x535ba0, lpFindFileData=0x2d8eb60 | out: lpFindFileData=0x2d8eb60*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x74912800, ftCreationTime.dwHighDateTime=0x1cac7f7, ftLastAccessTime.dwLowDateTime=0xeedf6c30, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0x74912800, ftLastWriteTime.dwHighDateTime=0x1cac7f7, nFileSizeHigh=0x0, nFileSizeLow=0xb960, dwReserved0=0x2d8eba8, dwReserved1=0x771791c9, cFileName="GRINTL32.DLL.trx_dll", cAlternateFileName="GRINTL~1.TRX")) returned 1 [0045.712] lstrcmpiW (lpString1="GRINTL32.DLL.trx_dll", lpString2="Windows") returned -1 [0045.712] lstrcmpiW (lpString1="GRINTL32.DLL.trx_dll", lpString2="$Recycle.bin") returned 1 [0045.713] lstrcmpiW (lpString1="GRINTL32.DLL.trx_dll", lpString2="System Volume Information") returned -1 [0045.714] lstrcmpiW (lpString1="GRINTL32.DLL.trx_dll", lpString2="Program Files") returned -1 [0045.714] lstrcmpiW (lpString1="GRINTL32.DLL.trx_dll", lpString2="Program Files (x86)") returned -1 [0045.714] wnsprintfW (in: pszDest=0x543228, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\GRINTL32.DLL.trx_dll") returned 72 [0045.716] StrStrIW (lpFirst="GRINTL32.DLL.trx_dll", lpSrch=".for") returned 0x0 [0045.716] lstrcmpW (lpString1="GRINTL32.DLL.trx_dll", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0045.717] lstrcmpW (lpString1="GRINTL32.DLL.trx_dll", lpString2="taridd") returned -1 [0045.717] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\GRINTL32.DLL.trx_dll", lpStr2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\3pRMMVYZl7L6YCH05Qf1aBB2Nvhrv3", nChar=122) returned -1 [0045.718] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\GRINTL32.DLL.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\3082\\grintl32.dll.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x210 [0045.721] GetTickCount () returned 0x1145e27 [0045.722] GetTickCount () returned 0x1145e27 [0045.723] GetTickCount () returned 0x1145e37 [0045.724] GetTickCount () returned 0x1145e37 [0045.726] CryptEncrypt (in: hKey=0x4ff5a8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d8ea70*, pdwDataLen=0x2d8eb20*=0x2c, dwBufLen=0x80 | out: pbData=0x2d8ea70*, pdwDataLen=0x2d8eb20*=0x80) returned 1 [0045.729] GetProcessHeap () returned 0x4e0000 [0045.729] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x2800) returned 0x5064d8 [0045.730] ReadFile (in: hFile=0x210, lpBuffer=0x5064d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2d8eb24, lpOverlapped=0x0 | out: lpBuffer=0x5064d8*, lpNumberOfBytesRead=0x2d8eb24*=0x2800, lpOverlapped=0x0) returned 1 [0045.747] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0045.749] WriteFile (in: hFile=0x210, lpBuffer=0x5064d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2d8eb24, lpOverlapped=0x0 | out: lpBuffer=0x5064d8*, lpNumberOfBytesWritten=0x2d8eb24*=0x2800, lpOverlapped=0x0) returned 1 [0045.751] GetProcessHeap () returned 0x4e0000 [0045.752] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x5064d8 | out: hHeap=0x4e0000) returned 1 [0045.753] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0045.754] WriteFile (in: hFile=0x210, lpBuffer=0x4ffe10*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x2d8eb24, lpOverlapped=0x0 | out: lpBuffer=0x4ffe10*, lpNumberOfBytesWritten=0x2d8eb24*=0x300, lpOverlapped=0x0) returned 1 [0045.757] WriteFile (in: hFile=0x210, lpBuffer=0x2d8ea70*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x2d8eb24, lpOverlapped=0x0 | out: lpBuffer=0x2d8ea70*, lpNumberOfBytesWritten=0x2d8eb24*=0x80, lpOverlapped=0x0) returned 1 [0045.758] WriteFile (in: hFile=0x210, lpBuffer=0x186230*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2d8eb24, lpOverlapped=0x0 | out: lpBuffer=0x186230*, lpNumberOfBytesWritten=0x2d8eb24*=0x4, lpOverlapped=0x0) returned 1 [0045.759] CloseHandle (hObject=0x210) returned 1 [0045.762] GetProcessHeap () returned 0x4e0000 [0045.762] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x400) returned 0x543630 [0045.763] wnsprintfW (in: pszDest=0x543630, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\GRINTL32.DLL.trx_dll_forv_{KNUJ5K}.for") returned 90 [0045.764] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\GRINTL32.DLL.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\3082\\grintl32.dll.trx_dll"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\GRINTL32.DLL.trx_dll_forv_{KNUJ5K}.for" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\3082\\grintl32.dll.trx_dll_forv_{knuj5k}.for")) returned 1 [0045.774] GetProcessHeap () returned 0x4e0000 [0045.774] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x543630 | out: hHeap=0x4e0000) returned 1 [0045.775] FindNextFileW (in: hFindFile=0x535ba0, lpFindFileData=0x2d8eb60 | out: lpFindFileData=0x2d8eb60*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x74912800, ftCreationTime.dwHighDateTime=0x1cac7f7, ftLastAccessTime.dwLowDateTime=0xeedf6c30, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0x74912800, ftLastWriteTime.dwHighDateTime=0x1cac7f7, nFileSizeHigh=0x0, nFileSizeLow=0x39960, dwReserved0=0x2d8eba8, dwReserved1=0x771791c9, cFileName="GRINTL32.REST.trx_dll", cAlternateFileName="GRINTL~2.TRX")) returned 1 [0045.776] lstrcmpiW (lpString1="GRINTL32.REST.trx_dll", lpString2="Windows") returned -1 [0045.777] lstrcmpiW (lpString1="GRINTL32.REST.trx_dll", lpString2="$Recycle.bin") returned 1 [0045.777] lstrcmpiW (lpString1="GRINTL32.REST.trx_dll", lpString2="System Volume Information") returned -1 [0045.778] lstrcmpiW (lpString1="GRINTL32.REST.trx_dll", lpString2="Program Files") returned -1 [0045.778] lstrcmpiW (lpString1="GRINTL32.REST.trx_dll", lpString2="Program Files (x86)") returned -1 [0045.779] wnsprintfW (in: pszDest=0x543228, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\GRINTL32.REST.trx_dll") returned 73 [0045.779] StrStrIW (lpFirst="GRINTL32.REST.trx_dll", lpSrch=".for") returned 0x0 [0045.780] lstrcmpW (lpString1="GRINTL32.REST.trx_dll", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0045.781] lstrcmpW (lpString1="GRINTL32.REST.trx_dll", lpString2="taridd") returned -1 [0045.781] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\GRINTL32.REST.trx_dll", lpStr2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\3pRMMVYZl7L6YCH05Qf1aBB2Nvhrv3", nChar=122) returned -1 [0045.781] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\GRINTL32.REST.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\3082\\grintl32.rest.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x210 [0045.785] GetTickCount () returned 0x1145e66 [0045.785] GetTickCount () returned 0x1145e66 [0045.785] GetTickCount () returned 0x1145e75 [0045.786] GetTickCount () returned 0x1145e75 [0045.787] CryptEncrypt (in: hKey=0x4ff5a8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d8ea70*, pdwDataLen=0x2d8eb20*=0x2c, dwBufLen=0x80 | out: pbData=0x2d8ea70*, pdwDataLen=0x2d8eb20*=0x80) returned 1 [0045.790] GetProcessHeap () returned 0x4e0000 [0045.791] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x2800) returned 0x5064d8 [0045.791] ReadFile (in: hFile=0x210, lpBuffer=0x5064d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2d8eb24, lpOverlapped=0x0 | out: lpBuffer=0x5064d8*, lpNumberOfBytesRead=0x2d8eb24*=0x2800, lpOverlapped=0x0) returned 1 [0045.807] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0045.808] WriteFile (in: hFile=0x210, lpBuffer=0x5064d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2d8eb24, lpOverlapped=0x0 | out: lpBuffer=0x5064d8*, lpNumberOfBytesWritten=0x2d8eb24*=0x2800, lpOverlapped=0x0) returned 1 [0045.810] GetProcessHeap () returned 0x4e0000 [0045.811] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x5064d8 | out: hHeap=0x4e0000) returned 1 [0045.811] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0045.813] WriteFile (in: hFile=0x210, lpBuffer=0x4ffe10*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x2d8eb24, lpOverlapped=0x0 | out: lpBuffer=0x4ffe10*, lpNumberOfBytesWritten=0x2d8eb24*=0x300, lpOverlapped=0x0) returned 1 [0045.817] WriteFile (in: hFile=0x210, lpBuffer=0x2d8ea70*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x2d8eb24, lpOverlapped=0x0 | out: lpBuffer=0x2d8ea70*, lpNumberOfBytesWritten=0x2d8eb24*=0x80, lpOverlapped=0x0) returned 1 [0045.819] WriteFile (in: hFile=0x210, lpBuffer=0x186230*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2d8eb24, lpOverlapped=0x0 | out: lpBuffer=0x186230*, lpNumberOfBytesWritten=0x2d8eb24*=0x4, lpOverlapped=0x0) returned 1 [0045.821] CloseHandle (hObject=0x210) returned 1 [0045.823] GetProcessHeap () returned 0x4e0000 [0045.824] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x400) returned 0x543630 [0045.825] wnsprintfW (in: pszDest=0x543630, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\GRINTL32.REST.trx_dll_forv_{KNUJ5K}.for") returned 91 [0045.825] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\GRINTL32.REST.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\3082\\grintl32.rest.trx_dll"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\GRINTL32.REST.trx_dll_forv_{KNUJ5K}.for" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\3082\\grintl32.rest.trx_dll_forv_{knuj5k}.for")) returned 1 [0045.850] GetProcessHeap () returned 0x4e0000 [0045.850] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x543630 | out: hHeap=0x4e0000) returned 1 [0045.850] FindNextFileW (in: hFindFile=0x535ba0, lpFindFileData=0x2d8eb60 | out: lpFindFileData=0x2d8eb60*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x302da400, ftCreationTime.dwHighDateTime=0x1caca12, ftLastAccessTime.dwLowDateTime=0xeee1cd90, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0x302da400, ftLastWriteTime.dwHighDateTime=0x1caca12, nFileSizeHigh=0x0, nFileSizeLow=0x47d60, dwReserved0=0x2d8eba8, dwReserved1=0x771791c9, cFileName="MAPIR.DLL.trx_dll", cAlternateFileName="MAPIRD~1.TRX")) returned 1 [0045.851] lstrcmpiW (lpString1="MAPIR.DLL.trx_dll", lpString2="Windows") returned -1 [0045.851] lstrcmpiW (lpString1="MAPIR.DLL.trx_dll", lpString2="$Recycle.bin") returned 1 [0045.852] lstrcmpiW (lpString1="MAPIR.DLL.trx_dll", lpString2="System Volume Information") returned -1 [0045.853] lstrcmpiW (lpString1="MAPIR.DLL.trx_dll", lpString2="Program Files") returned -1 [0045.853] lstrcmpiW (lpString1="MAPIR.DLL.trx_dll", lpString2="Program Files (x86)") returned -1 [0045.854] wnsprintfW (in: pszDest=0x543228, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\MAPIR.DLL.trx_dll") returned 69 [0045.854] StrStrIW (lpFirst="MAPIR.DLL.trx_dll", lpSrch=".for") returned 0x0 [0045.855] lstrcmpW (lpString1="MAPIR.DLL.trx_dll", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0045.856] lstrcmpW (lpString1="MAPIR.DLL.trx_dll", lpString2="taridd") returned -1 [0045.856] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\MAPIR.DLL.trx_dll", lpStr2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\3pRMMVYZl7L6YCH05Qf1aBB2Nvhrv3", nChar=122) returned -1 [0045.857] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\MAPIR.DLL.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\3082\\mapir.dll.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x210 [0045.859] GetTickCount () returned 0x1145eb4 [0045.860] GetTickCount () returned 0x1145eb4 [0045.861] GetTickCount () returned 0x1145eb4 [0045.861] GetTickCount () returned 0x1145eb4 [0045.862] CryptEncrypt (in: hKey=0x4ff5a8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d8ea70*, pdwDataLen=0x2d8eb20*=0x2c, dwBufLen=0x80 | out: pbData=0x2d8ea70*, pdwDataLen=0x2d8eb20*=0x80) returned 1 [0045.865] GetProcessHeap () returned 0x4e0000 [0045.865] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x2800) returned 0x5064d8 [0045.866] ReadFile (in: hFile=0x210, lpBuffer=0x5064d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2d8eb24, lpOverlapped=0x0 | out: lpBuffer=0x5064d8*, lpNumberOfBytesRead=0x2d8eb24*=0x2800, lpOverlapped=0x0) returned 1 [0045.877] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0045.877] WriteFile (in: hFile=0x210, lpBuffer=0x5064d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2d8eb24, lpOverlapped=0x0 | out: lpBuffer=0x5064d8*, lpNumberOfBytesWritten=0x2d8eb24*=0x2800, lpOverlapped=0x0) returned 1 [0045.877] GetProcessHeap () returned 0x4e0000 [0045.877] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x5064d8 | out: hHeap=0x4e0000) returned 1 [0045.877] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0045.877] WriteFile (in: hFile=0x210, lpBuffer=0x4ffe10*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x2d8eb24, lpOverlapped=0x0 | out: lpBuffer=0x4ffe10*, lpNumberOfBytesWritten=0x2d8eb24*=0x300, lpOverlapped=0x0) returned 1 [0045.881] WriteFile (in: hFile=0x210, lpBuffer=0x2d8ea70*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x2d8eb24, lpOverlapped=0x0 | out: lpBuffer=0x2d8ea70*, lpNumberOfBytesWritten=0x2d8eb24*=0x80, lpOverlapped=0x0) returned 1 [0045.882] WriteFile (in: hFile=0x210, lpBuffer=0x186230*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2d8eb24, lpOverlapped=0x0 | out: lpBuffer=0x186230*, lpNumberOfBytesWritten=0x2d8eb24*=0x4, lpOverlapped=0x0) returned 1 [0045.882] CloseHandle (hObject=0x210) returned 1 [0045.882] GetProcessHeap () returned 0x4e0000 [0045.882] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x400) returned 0x543630 [0045.882] wnsprintfW (in: pszDest=0x543630, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\MAPIR.DLL.trx_dll_forv_{KNUJ5K}.for") returned 87 [0045.882] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\MAPIR.DLL.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\3082\\mapir.dll.trx_dll"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\MAPIR.DLL.trx_dll_forv_{KNUJ5K}.for" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\3082\\mapir.dll.trx_dll_forv_{knuj5k}.for")) returned 1 [0045.882] GetProcessHeap () returned 0x4e0000 [0045.882] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x543630 | out: hHeap=0x4e0000) returned 1 [0045.882] FindNextFileW (in: hFindFile=0x535ba0, lpFindFileData=0x2d8eb60 | out: lpFindFileData=0x2d8eb60*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x58968200, ftCreationTime.dwHighDateTime=0x1cac809, ftLastAccessTime.dwLowDateTime=0xeee1cd90, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0x58968200, ftLastWriteTime.dwHighDateTime=0x1cac809, nFileSizeHigh=0x0, nFileSizeLow=0xc160, dwReserved0=0x2d8eba8, dwReserved1=0x771791c9, cFileName="MOR6INT.REST.trx_dll", cAlternateFileName="MOR6IN~1.TRX")) returned 1 [0045.882] lstrcmpiW (lpString1="MOR6INT.REST.trx_dll", lpString2="Windows") returned -1 [0045.882] lstrcmpiW (lpString1="MOR6INT.REST.trx_dll", lpString2="$Recycle.bin") returned 1 [0045.882] lstrcmpiW (lpString1="MOR6INT.REST.trx_dll", lpString2="System Volume Information") returned -1 [0045.882] lstrcmpiW (lpString1="MOR6INT.REST.trx_dll", lpString2="Program Files") returned -1 [0045.883] lstrcmpiW (lpString1="MOR6INT.REST.trx_dll", lpString2="Program Files (x86)") returned -1 [0045.883] wnsprintfW (in: pszDest=0x543228, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\MOR6INT.REST.trx_dll") returned 72 [0045.883] StrStrIW (lpFirst="MOR6INT.REST.trx_dll", lpSrch=".for") returned 0x0 [0045.883] lstrcmpW (lpString1="MOR6INT.REST.trx_dll", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0045.883] lstrcmpW (lpString1="MOR6INT.REST.trx_dll", lpString2="taridd") returned -1 [0045.883] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\MOR6INT.REST.trx_dll", lpStr2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\3pRMMVYZl7L6YCH05Qf1aBB2Nvhrv3", nChar=122) returned -1 [0045.883] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\MOR6INT.REST.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\3082\\mor6int.rest.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x210 [0045.883] GetTickCount () returned 0x1145ed3 [0045.883] GetTickCount () returned 0x1145ed3 [0045.884] GetTickCount () returned 0x1145ed3 [0045.884] GetTickCount () returned 0x1145ed3 [0045.884] CryptEncrypt (in: hKey=0x4ff5a8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d8ea70*, pdwDataLen=0x2d8eb20*=0x2c, dwBufLen=0x80 | out: pbData=0x2d8ea70*, pdwDataLen=0x2d8eb20*=0x80) returned 1 [0045.884] GetProcessHeap () returned 0x4e0000 [0045.884] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x2800) returned 0x5064d8 [0045.884] ReadFile (in: hFile=0x210, lpBuffer=0x5064d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2d8eb24, lpOverlapped=0x0 | out: lpBuffer=0x5064d8*, lpNumberOfBytesRead=0x2d8eb24*=0x2800, lpOverlapped=0x0) returned 1 [0045.886] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0045.886] WriteFile (in: hFile=0x210, lpBuffer=0x5064d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2d8eb24, lpOverlapped=0x0 | out: lpBuffer=0x5064d8*, lpNumberOfBytesWritten=0x2d8eb24*=0x2800, lpOverlapped=0x0) returned 1 [0045.886] GetProcessHeap () returned 0x4e0000 [0045.886] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x5064d8 | out: hHeap=0x4e0000) returned 1 [0045.886] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0045.886] WriteFile (in: hFile=0x210, lpBuffer=0x4ffe10*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x2d8eb24, lpOverlapped=0x0 | out: lpBuffer=0x4ffe10*, lpNumberOfBytesWritten=0x2d8eb24*=0x300, lpOverlapped=0x0) returned 1 [0045.887] WriteFile (in: hFile=0x210, lpBuffer=0x2d8ea70*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x2d8eb24, lpOverlapped=0x0 | out: lpBuffer=0x2d8ea70*, lpNumberOfBytesWritten=0x2d8eb24*=0x80, lpOverlapped=0x0) returned 1 [0045.887] WriteFile (in: hFile=0x210, lpBuffer=0x186230*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2d8eb24, lpOverlapped=0x0 | out: lpBuffer=0x186230*, lpNumberOfBytesWritten=0x2d8eb24*=0x4, lpOverlapped=0x0) returned 1 [0045.887] CloseHandle (hObject=0x210) returned 1 [0045.887] GetProcessHeap () returned 0x4e0000 [0045.887] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x400) returned 0x543630 [0045.887] wnsprintfW (in: pszDest=0x543630, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\MOR6INT.REST.trx_dll_forv_{KNUJ5K}.for") returned 90 [0045.887] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\MOR6INT.REST.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\3082\\mor6int.rest.trx_dll"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\MOR6INT.REST.trx_dll_forv_{KNUJ5K}.for" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\3082\\mor6int.rest.trx_dll_forv_{knuj5k}.for")) returned 1 [0045.888] GetProcessHeap () returned 0x4e0000 [0045.888] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x543630 | out: hHeap=0x4e0000) returned 1 [0045.888] FindNextFileW (in: hFindFile=0x535ba0, lpFindFileData=0x2d8eb60 | out: lpFindFileData=0x2d8eb60*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x248aaf00, ftCreationTime.dwHighDateTime=0x1caca0b, ftLastAccessTime.dwLowDateTime=0xeee42ef0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0x248aaf00, ftLastWriteTime.dwHighDateTime=0x1caca0b, nFileSizeHigh=0x0, nFileSizeLow=0x16f60, dwReserved0=0x2d8eba8, dwReserved1=0x771791c9, cFileName="MSOINTL.DLL.trx_dll", cAlternateFileName="MSOINT~1.TRX")) returned 1 [0045.888] lstrcmpiW (lpString1="MSOINTL.DLL.trx_dll", lpString2="Windows") returned -1 [0045.888] lstrcmpiW (lpString1="MSOINTL.DLL.trx_dll", lpString2="$Recycle.bin") returned 1 [0045.888] lstrcmpiW (lpString1="MSOINTL.DLL.trx_dll", lpString2="System Volume Information") returned -1 [0045.888] lstrcmpiW (lpString1="MSOINTL.DLL.trx_dll", lpString2="Program Files") returned -1 [0045.888] lstrcmpiW (lpString1="MSOINTL.DLL.trx_dll", lpString2="Program Files (x86)") returned -1 [0045.888] wnsprintfW (in: pszDest=0x543228, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\MSOINTL.DLL.trx_dll") returned 71 [0045.888] StrStrIW (lpFirst="MSOINTL.DLL.trx_dll", lpSrch=".for") returned 0x0 [0045.888] lstrcmpW (lpString1="MSOINTL.DLL.trx_dll", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0045.888] lstrcmpW (lpString1="MSOINTL.DLL.trx_dll", lpString2="taridd") returned -1 [0045.888] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\MSOINTL.DLL.trx_dll", lpStr2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\3pRMMVYZl7L6YCH05Qf1aBB2Nvhrv3", nChar=122) returned -1 [0045.888] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\MSOINTL.DLL.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\3082\\msointl.dll.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x210 [0045.888] GetTickCount () returned 0x1145ed3 [0045.889] GetTickCount () returned 0x1145ed3 [0045.889] GetTickCount () returned 0x1145ed3 [0045.889] GetTickCount () returned 0x1145ed3 [0045.889] CryptEncrypt (in: hKey=0x4ff5a8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d8ea70*, pdwDataLen=0x2d8eb20*=0x2c, dwBufLen=0x80 | out: pbData=0x2d8ea70*, pdwDataLen=0x2d8eb20*=0x80) returned 1 [0045.889] GetProcessHeap () returned 0x4e0000 [0045.889] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x2800) returned 0x5064d8 [0045.889] ReadFile (in: hFile=0x210, lpBuffer=0x5064d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2d8eb24, lpOverlapped=0x0 | out: lpBuffer=0x5064d8*, lpNumberOfBytesRead=0x2d8eb24*=0x2800, lpOverlapped=0x0) returned 1 [0045.890] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0045.891] WriteFile (in: hFile=0x210, lpBuffer=0x5064d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2d8eb24, lpOverlapped=0x0 | out: lpBuffer=0x5064d8*, lpNumberOfBytesWritten=0x2d8eb24*=0x2800, lpOverlapped=0x0) returned 1 [0045.891] GetProcessHeap () returned 0x4e0000 [0045.891] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x5064d8 | out: hHeap=0x4e0000) returned 1 [0045.891] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0045.891] WriteFile (in: hFile=0x210, lpBuffer=0x4ffe10*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x2d8eb24, lpOverlapped=0x0 | out: lpBuffer=0x4ffe10*, lpNumberOfBytesWritten=0x2d8eb24*=0x300, lpOverlapped=0x0) returned 1 [0045.891] WriteFile (in: hFile=0x210, lpBuffer=0x2d8ea70*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x2d8eb24, lpOverlapped=0x0 | out: lpBuffer=0x2d8ea70*, lpNumberOfBytesWritten=0x2d8eb24*=0x80, lpOverlapped=0x0) returned 1 [0045.891] WriteFile (in: hFile=0x210, lpBuffer=0x186230*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2d8eb24, lpOverlapped=0x0 | out: lpBuffer=0x186230*, lpNumberOfBytesWritten=0x2d8eb24*=0x4, lpOverlapped=0x0) returned 1 [0045.891] CloseHandle (hObject=0x210) returned 1 [0045.892] GetProcessHeap () returned 0x4e0000 [0045.892] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x400) returned 0x543630 [0045.892] wnsprintfW (in: pszDest=0x543630, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\MSOINTL.DLL.trx_dll_forv_{KNUJ5K}.for") returned 89 [0045.892] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\MSOINTL.DLL.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\3082\\msointl.dll.trx_dll"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\MSOINTL.DLL.trx_dll_forv_{KNUJ5K}.for" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\3082\\msointl.dll.trx_dll_forv_{knuj5k}.for")) returned 1 [0045.892] GetProcessHeap () returned 0x4e0000 [0045.892] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x543630 | out: hHeap=0x4e0000) returned 1 [0045.892] FindNextFileW (in: hFindFile=0x535ba0, lpFindFileData=0x2d8eb60 | out: lpFindFileData=0x2d8eb60*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x25bbdc00, ftCreationTime.dwHighDateTime=0x1caca0b, ftLastAccessTime.dwLowDateTime=0xeeeb5310, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0x25bbdc00, ftLastWriteTime.dwHighDateTime=0x1caca0b, nFileSizeHigh=0x0, nFileSizeLow=0x2b2560, dwReserved0=0x2d8eba8, dwReserved1=0x771791c9, cFileName="MSOINTL.REST.trx_dll", cAlternateFileName="MSOINT~2.TRX")) returned 1 [0045.892] lstrcmpiW (lpString1="MSOINTL.REST.trx_dll", lpString2="Windows") returned -1 [0045.892] lstrcmpiW (lpString1="MSOINTL.REST.trx_dll", lpString2="$Recycle.bin") returned 1 [0045.892] lstrcmpiW (lpString1="MSOINTL.REST.trx_dll", lpString2="System Volume Information") returned -1 [0045.892] lstrcmpiW (lpString1="MSOINTL.REST.trx_dll", lpString2="Program Files") returned -1 [0045.892] lstrcmpiW (lpString1="MSOINTL.REST.trx_dll", lpString2="Program Files (x86)") returned -1 [0045.892] wnsprintfW (in: pszDest=0x543228, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\MSOINTL.REST.trx_dll") returned 72 [0045.892] StrStrIW (lpFirst="MSOINTL.REST.trx_dll", lpSrch=".for") returned 0x0 [0045.892] lstrcmpW (lpString1="MSOINTL.REST.trx_dll", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0045.892] lstrcmpW (lpString1="MSOINTL.REST.trx_dll", lpString2="taridd") returned -1 [0045.892] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\MSOINTL.REST.trx_dll", lpStr2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\3pRMMVYZl7L6YCH05Qf1aBB2Nvhrv3", nChar=122) returned -1 [0045.892] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\MSOINTL.REST.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\3082\\msointl.rest.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x210 [0045.893] GetTickCount () returned 0x1145ed3 [0045.893] GetTickCount () returned 0x1145ed3 [0045.893] GetTickCount () returned 0x1145ed3 [0045.893] GetTickCount () returned 0x1145ed3 [0045.893] CryptEncrypt (in: hKey=0x4ff5a8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d8ea70*, pdwDataLen=0x2d8eb20*=0x2c, dwBufLen=0x80 | out: pbData=0x2d8ea70*, pdwDataLen=0x2d8eb20*=0x80) returned 1 [0045.893] GetProcessHeap () returned 0x4e0000 [0045.893] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x2800) returned 0x5064d8 [0045.893] ReadFile (in: hFile=0x210, lpBuffer=0x5064d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2d8eb24, lpOverlapped=0x0 | out: lpBuffer=0x5064d8*, lpNumberOfBytesRead=0x2d8eb24*=0x2800, lpOverlapped=0x0) returned 1 [0045.909] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0045.909] WriteFile (in: hFile=0x210, lpBuffer=0x5064d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2d8eb24, lpOverlapped=0x0 | out: lpBuffer=0x5064d8*, lpNumberOfBytesWritten=0x2d8eb24*=0x2800, lpOverlapped=0x0) returned 1 [0045.909] GetProcessHeap () returned 0x4e0000 [0045.909] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x5064d8 | out: hHeap=0x4e0000) returned 1 [0045.909] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0045.909] WriteFile (in: hFile=0x210, lpBuffer=0x4ffe10*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x2d8eb24, lpOverlapped=0x0 | out: lpBuffer=0x4ffe10*, lpNumberOfBytesWritten=0x2d8eb24*=0x300, lpOverlapped=0x0) returned 1 [0045.911] WriteFile (in: hFile=0x210, lpBuffer=0x2d8ea70*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x2d8eb24, lpOverlapped=0x0 | out: lpBuffer=0x2d8ea70*, lpNumberOfBytesWritten=0x2d8eb24*=0x80, lpOverlapped=0x0) returned 1 [0045.911] WriteFile (in: hFile=0x210, lpBuffer=0x186230*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2d8eb24, lpOverlapped=0x0 | out: lpBuffer=0x186230*, lpNumberOfBytesWritten=0x2d8eb24*=0x4, lpOverlapped=0x0) returned 1 [0045.911] CloseHandle (hObject=0x210) returned 1 [0045.912] GetProcessHeap () returned 0x4e0000 [0045.912] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x400) returned 0x543630 [0045.912] wnsprintfW (in: pszDest=0x543630, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\MSOINTL.REST.trx_dll_forv_{KNUJ5K}.for") returned 90 [0045.912] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\MSOINTL.REST.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\3082\\msointl.rest.trx_dll"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\MSOINTL.REST.trx_dll_forv_{KNUJ5K}.for" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\3082\\msointl.rest.trx_dll_forv_{knuj5k}.for")) returned 1 [0045.912] GetProcessHeap () returned 0x4e0000 [0045.912] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x543630 | out: hHeap=0x4e0000) returned 1 [0045.912] FindNextFileW (in: hFindFile=0x535ba0, lpFindFileData=0x2d8eb60 | out: lpFindFileData=0x2d8eb60*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x3564d600, ftCreationTime.dwHighDateTime=0x1cac7fb, ftLastAccessTime.dwLowDateTime=0xeef27730, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0x3564d600, ftLastWriteTime.dwHighDateTime=0x1cac7fb, nFileSizeHigh=0x0, nFileSizeLow=0xb360, dwReserved0=0x2d8eba8, dwReserved1=0x771791c9, cFileName="OMSINTL.DLL.trx_dll", cAlternateFileName="OMSINT~1.TRX")) returned 1 [0045.912] lstrcmpiW (lpString1="OMSINTL.DLL.trx_dll", lpString2="Windows") returned -1 [0045.912] lstrcmpiW (lpString1="OMSINTL.DLL.trx_dll", lpString2="$Recycle.bin") returned 1 [0045.912] lstrcmpiW (lpString1="OMSINTL.DLL.trx_dll", lpString2="System Volume Information") returned -1 [0045.912] lstrcmpiW (lpString1="OMSINTL.DLL.trx_dll", lpString2="Program Files") returned -1 [0045.912] lstrcmpiW (lpString1="OMSINTL.DLL.trx_dll", lpString2="Program Files (x86)") returned -1 [0045.912] wnsprintfW (in: pszDest=0x543228, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\OMSINTL.DLL.trx_dll") returned 71 [0045.912] StrStrIW (lpFirst="OMSINTL.DLL.trx_dll", lpSrch=".for") returned 0x0 [0045.913] lstrcmpW (lpString1="OMSINTL.DLL.trx_dll", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0045.913] lstrcmpW (lpString1="OMSINTL.DLL.trx_dll", lpString2="taridd") returned -1 [0045.913] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\OMSINTL.DLL.trx_dll", lpStr2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\3pRMMVYZl7L6YCH05Qf1aBB2Nvhrv3", nChar=122) returned -1 [0045.913] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\OMSINTL.DLL.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\3082\\omsintl.dll.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x210 [0045.913] GetTickCount () returned 0x1145ef2 [0045.913] GetTickCount () returned 0x1145ef2 [0045.913] GetTickCount () returned 0x1145ef2 [0045.913] GetTickCount () returned 0x1145ef2 [0045.913] CryptEncrypt (in: hKey=0x4ff5a8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d8ea70*, pdwDataLen=0x2d8eb20*=0x2c, dwBufLen=0x80 | out: pbData=0x2d8ea70*, pdwDataLen=0x2d8eb20*=0x80) returned 1 [0045.913] GetProcessHeap () returned 0x4e0000 [0045.913] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x2800) returned 0x5064d8 [0045.913] ReadFile (in: hFile=0x210, lpBuffer=0x5064d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2d8eb24, lpOverlapped=0x0 | out: lpBuffer=0x5064d8*, lpNumberOfBytesRead=0x2d8eb24*=0x2800, lpOverlapped=0x0) returned 1 [0045.915] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0045.915] WriteFile (in: hFile=0x210, lpBuffer=0x5064d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2d8eb24, lpOverlapped=0x0 | out: lpBuffer=0x5064d8*, lpNumberOfBytesWritten=0x2d8eb24*=0x2800, lpOverlapped=0x0) returned 1 [0045.915] GetProcessHeap () returned 0x4e0000 [0045.915] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x5064d8 | out: hHeap=0x4e0000) returned 1 [0045.915] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0045.915] WriteFile (in: hFile=0x210, lpBuffer=0x4ffe10*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x2d8eb24, lpOverlapped=0x0 | out: lpBuffer=0x4ffe10*, lpNumberOfBytesWritten=0x2d8eb24*=0x300, lpOverlapped=0x0) returned 1 [0045.916] WriteFile (in: hFile=0x210, lpBuffer=0x2d8ea70*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x2d8eb24, lpOverlapped=0x0 | out: lpBuffer=0x2d8ea70*, lpNumberOfBytesWritten=0x2d8eb24*=0x80, lpOverlapped=0x0) returned 1 [0045.916] WriteFile (in: hFile=0x210, lpBuffer=0x186230*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2d8eb24, lpOverlapped=0x0 | out: lpBuffer=0x186230*, lpNumberOfBytesWritten=0x2d8eb24*=0x4, lpOverlapped=0x0) returned 1 [0045.916] CloseHandle (hObject=0x210) returned 1 [0045.916] GetProcessHeap () returned 0x4e0000 [0045.916] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x400) returned 0x543630 [0045.916] wnsprintfW (in: pszDest=0x543630, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\OMSINTL.DLL.trx_dll_forv_{KNUJ5K}.for") returned 89 [0045.916] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\OMSINTL.DLL.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\3082\\omsintl.dll.trx_dll"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\OMSINTL.DLL.trx_dll_forv_{KNUJ5K}.for" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\3082\\omsintl.dll.trx_dll_forv_{knuj5k}.for")) returned 1 [0045.916] GetProcessHeap () returned 0x4e0000 [0045.916] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x543630 | out: hHeap=0x4e0000) returned 1 [0045.917] FindNextFileW (in: hFindFile=0x535ba0, lpFindFileData=0x2d8eb60 | out: lpFindFileData=0x2d8eb60*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x63b88300, ftCreationTime.dwHighDateTime=0x1cacf6a, ftLastAccessTime.dwLowDateTime=0xeef27730, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0x63b88300, ftLastWriteTime.dwHighDateTime=0x1cacf6a, nFileSizeHigh=0x0, nFileSizeLow=0x7b60, dwReserved0=0x2d8eba8, dwReserved1=0x771791c9, cFileName="ONINTL.DLL.trx_dll", cAlternateFileName="ONINTL~1.TRX")) returned 1 [0045.917] lstrcmpiW (lpString1="ONINTL.DLL.trx_dll", lpString2="Windows") returned -1 [0045.917] lstrcmpiW (lpString1="ONINTL.DLL.trx_dll", lpString2="$Recycle.bin") returned 1 [0045.917] lstrcmpiW (lpString1="ONINTL.DLL.trx_dll", lpString2="System Volume Information") returned -1 [0045.917] lstrcmpiW (lpString1="ONINTL.DLL.trx_dll", lpString2="Program Files") returned -1 [0045.917] lstrcmpiW (lpString1="ONINTL.DLL.trx_dll", lpString2="Program Files (x86)") returned -1 [0045.917] wnsprintfW (in: pszDest=0x543228, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\ONINTL.DLL.trx_dll") returned 70 [0045.917] StrStrIW (lpFirst="ONINTL.DLL.trx_dll", lpSrch=".for") returned 0x0 [0045.917] lstrcmpW (lpString1="ONINTL.DLL.trx_dll", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0045.917] lstrcmpW (lpString1="ONINTL.DLL.trx_dll", lpString2="taridd") returned -1 [0045.917] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\ONINTL.DLL.trx_dll", lpStr2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\3pRMMVYZl7L6YCH05Qf1aBB2Nvhrv3", nChar=122) returned -1 [0045.917] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\ONINTL.DLL.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\3082\\onintl.dll.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x210 [0045.917] GetTickCount () returned 0x1145ef2 [0045.917] GetTickCount () returned 0x1145ef2 [0045.917] GetTickCount () returned 0x1145ef2 [0045.917] GetTickCount () returned 0x1145ef2 [0045.917] CryptEncrypt (in: hKey=0x4ff5a8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d8ea70*, pdwDataLen=0x2d8eb20*=0x2c, dwBufLen=0x80 | out: pbData=0x2d8ea70*, pdwDataLen=0x2d8eb20*=0x80) returned 1 [0045.917] GetProcessHeap () returned 0x4e0000 [0045.917] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x2800) returned 0x5064d8 [0045.917] ReadFile (in: hFile=0x210, lpBuffer=0x5064d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2d8eb24, lpOverlapped=0x0 | out: lpBuffer=0x5064d8*, lpNumberOfBytesRead=0x2d8eb24*=0x2800, lpOverlapped=0x0) returned 1 [0045.919] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0045.919] WriteFile (in: hFile=0x210, lpBuffer=0x5064d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2d8eb24, lpOverlapped=0x0 | out: lpBuffer=0x5064d8*, lpNumberOfBytesWritten=0x2d8eb24*=0x2800, lpOverlapped=0x0) returned 1 [0045.919] GetProcessHeap () returned 0x4e0000 [0045.919] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x5064d8 | out: hHeap=0x4e0000) returned 1 [0045.920] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0045.920] WriteFile (in: hFile=0x210, lpBuffer=0x4ffe10*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x2d8eb24, lpOverlapped=0x0 | out: lpBuffer=0x4ffe10*, lpNumberOfBytesWritten=0x2d8eb24*=0x300, lpOverlapped=0x0) returned 1 [0045.920] WriteFile (in: hFile=0x210, lpBuffer=0x2d8ea70*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x2d8eb24, lpOverlapped=0x0 | out: lpBuffer=0x2d8ea70*, lpNumberOfBytesWritten=0x2d8eb24*=0x80, lpOverlapped=0x0) returned 1 [0045.920] WriteFile (in: hFile=0x210, lpBuffer=0x186230*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2d8eb24, lpOverlapped=0x0 | out: lpBuffer=0x186230*, lpNumberOfBytesWritten=0x2d8eb24*=0x4, lpOverlapped=0x0) returned 1 [0045.920] CloseHandle (hObject=0x210) returned 1 [0045.920] GetProcessHeap () returned 0x4e0000 [0045.920] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x400) returned 0x543630 [0045.920] wnsprintfW (in: pszDest=0x543630, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\ONINTL.DLL.trx_dll_forv_{KNUJ5K}.for") returned 88 [0045.920] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\ONINTL.DLL.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\3082\\onintl.dll.trx_dll"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\ONINTL.DLL.trx_dll_forv_{KNUJ5K}.for" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\3082\\onintl.dll.trx_dll_forv_{knuj5k}.for")) returned 1 [0045.921] GetProcessHeap () returned 0x4e0000 [0045.921] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x543630 | out: hHeap=0x4e0000) returned 1 [0045.921] FindNextFileW (in: hFindFile=0x535ba0, lpFindFileData=0x2d8eb60 | out: lpFindFileData=0x2d8eb60*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x62875600, ftCreationTime.dwHighDateTime=0x1cacf6a, ftLastAccessTime.dwLowDateTime=0xeef4d890, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0x62875600, ftLastWriteTime.dwHighDateTime=0x1cacf6a, nFileSizeHigh=0x0, nFileSizeLow=0x3d960, dwReserved0=0x2d8eba8, dwReserved1=0x771791c9, cFileName="ONINTL.REST.trx_dll", cAlternateFileName="ONINTL~2.TRX")) returned 1 [0045.921] lstrcmpiW (lpString1="ONINTL.REST.trx_dll", lpString2="Windows") returned -1 [0045.921] lstrcmpiW (lpString1="ONINTL.REST.trx_dll", lpString2="$Recycle.bin") returned 1 [0045.921] lstrcmpiW (lpString1="ONINTL.REST.trx_dll", lpString2="System Volume Information") returned -1 [0045.921] lstrcmpiW (lpString1="ONINTL.REST.trx_dll", lpString2="Program Files") returned -1 [0045.921] lstrcmpiW (lpString1="ONINTL.REST.trx_dll", lpString2="Program Files (x86)") returned -1 [0045.921] wnsprintfW (in: pszDest=0x543228, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\ONINTL.REST.trx_dll") returned 71 [0045.921] StrStrIW (lpFirst="ONINTL.REST.trx_dll", lpSrch=".for") returned 0x0 [0045.921] lstrcmpW (lpString1="ONINTL.REST.trx_dll", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0045.921] lstrcmpW (lpString1="ONINTL.REST.trx_dll", lpString2="taridd") returned -1 [0045.921] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\ONINTL.REST.trx_dll", lpStr2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\3pRMMVYZl7L6YCH05Qf1aBB2Nvhrv3", nChar=122) returned -1 [0045.921] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\ONINTL.REST.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\3082\\onintl.rest.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x210 [0045.921] GetTickCount () returned 0x1145ef2 [0045.921] GetTickCount () returned 0x1145ef2 [0045.921] GetTickCount () returned 0x1145ef2 [0045.921] GetTickCount () returned 0x1145ef2 [0045.921] CryptEncrypt (in: hKey=0x4ff5a8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d8ea70*, pdwDataLen=0x2d8eb20*=0x2c, dwBufLen=0x80 | out: pbData=0x2d8ea70*, pdwDataLen=0x2d8eb20*=0x80) returned 1 [0045.921] GetProcessHeap () returned 0x4e0000 [0045.921] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x2800) returned 0x5064d8 [0045.921] ReadFile (in: hFile=0x210, lpBuffer=0x5064d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2d8eb24, lpOverlapped=0x0 | out: lpBuffer=0x5064d8*, lpNumberOfBytesRead=0x2d8eb24*=0x2800, lpOverlapped=0x0) returned 1 [0045.923] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0045.923] WriteFile (in: hFile=0x210, lpBuffer=0x5064d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2d8eb24, lpOverlapped=0x0 | out: lpBuffer=0x5064d8*, lpNumberOfBytesWritten=0x2d8eb24*=0x2800, lpOverlapped=0x0) returned 1 [0045.923] GetProcessHeap () returned 0x4e0000 [0045.923] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x5064d8 | out: hHeap=0x4e0000) returned 1 [0045.923] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0045.923] WriteFile (in: hFile=0x210, lpBuffer=0x4ffe10*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x2d8eb24, lpOverlapped=0x0 | out: lpBuffer=0x4ffe10*, lpNumberOfBytesWritten=0x2d8eb24*=0x300, lpOverlapped=0x0) returned 1 [0045.924] WriteFile (in: hFile=0x210, lpBuffer=0x2d8ea70*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x2d8eb24, lpOverlapped=0x0 | out: lpBuffer=0x2d8ea70*, lpNumberOfBytesWritten=0x2d8eb24*=0x80, lpOverlapped=0x0) returned 1 [0045.924] WriteFile (in: hFile=0x210, lpBuffer=0x186230*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2d8eb24, lpOverlapped=0x0 | out: lpBuffer=0x186230*, lpNumberOfBytesWritten=0x2d8eb24*=0x4, lpOverlapped=0x0) returned 1 [0045.925] CloseHandle (hObject=0x210) returned 1 [0045.925] GetProcessHeap () returned 0x4e0000 [0045.925] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x400) returned 0x543630 [0045.925] wnsprintfW (in: pszDest=0x543630, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\ONINTL.REST.trx_dll_forv_{KNUJ5K}.for") returned 89 [0045.925] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\ONINTL.REST.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\3082\\onintl.rest.trx_dll"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\ONINTL.REST.trx_dll_forv_{KNUJ5K}.for" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\3082\\onintl.rest.trx_dll_forv_{knuj5k}.for")) returned 1 [0045.925] GetProcessHeap () returned 0x4e0000 [0045.925] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x543630 | out: hHeap=0x4e0000) returned 1 [0045.925] FindNextFileW (in: hFindFile=0x535ba0, lpFindFileData=0x2d8eb60 | out: lpFindFileData=0x2d8eb60*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x302da400, ftCreationTime.dwHighDateTime=0x1caca12, ftLastAccessTime.dwLowDateTime=0xeef4d890, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0x302da400, ftLastWriteTime.dwHighDateTime=0x1caca12, nFileSizeHigh=0x0, nFileSizeLow=0x35960, dwReserved0=0x2d8eba8, dwReserved1=0x771791c9, cFileName="OUTLLIBR.DLL.trx_dll", cAlternateFileName="OUTLLI~1.TRX")) returned 1 [0045.925] lstrcmpiW (lpString1="OUTLLIBR.DLL.trx_dll", lpString2="Windows") returned -1 [0045.925] lstrcmpiW (lpString1="OUTLLIBR.DLL.trx_dll", lpString2="$Recycle.bin") returned 1 [0045.925] lstrcmpiW (lpString1="OUTLLIBR.DLL.trx_dll", lpString2="System Volume Information") returned -1 [0045.925] lstrcmpiW (lpString1="OUTLLIBR.DLL.trx_dll", lpString2="Program Files") returned -1 [0045.925] lstrcmpiW (lpString1="OUTLLIBR.DLL.trx_dll", lpString2="Program Files (x86)") returned -1 [0045.925] wnsprintfW (in: pszDest=0x543228, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\OUTLLIBR.DLL.trx_dll") returned 72 [0045.925] StrStrIW (lpFirst="OUTLLIBR.DLL.trx_dll", lpSrch=".for") returned 0x0 [0045.925] lstrcmpW (lpString1="OUTLLIBR.DLL.trx_dll", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0045.925] lstrcmpW (lpString1="OUTLLIBR.DLL.trx_dll", lpString2="taridd") returned -1 [0045.926] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\OUTLLIBR.DLL.trx_dll", lpStr2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\3pRMMVYZl7L6YCH05Qf1aBB2Nvhrv3", nChar=122) returned -1 [0045.926] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\OUTLLIBR.DLL.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\3082\\outllibr.dll.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x210 [0045.926] GetTickCount () returned 0x1145ef2 [0045.926] GetTickCount () returned 0x1145ef2 [0045.926] GetTickCount () returned 0x1145ef2 [0045.926] GetTickCount () returned 0x1145f02 [0045.926] CryptEncrypt (in: hKey=0x4ff5a8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d8ea70*, pdwDataLen=0x2d8eb20*=0x2c, dwBufLen=0x80 | out: pbData=0x2d8ea70*, pdwDataLen=0x2d8eb20*=0x80) returned 1 [0045.926] GetProcessHeap () returned 0x4e0000 [0045.926] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x2800) returned 0x5064d8 [0045.926] ReadFile (in: hFile=0x210, lpBuffer=0x5064d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2d8eb24, lpOverlapped=0x0 | out: lpBuffer=0x5064d8*, lpNumberOfBytesRead=0x2d8eb24*=0x2800, lpOverlapped=0x0) returned 1 [0045.927] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0045.928] WriteFile (in: hFile=0x210, lpBuffer=0x5064d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2d8eb24, lpOverlapped=0x0 | out: lpBuffer=0x5064d8*, lpNumberOfBytesWritten=0x2d8eb24*=0x2800, lpOverlapped=0x0) returned 1 [0045.928] GetProcessHeap () returned 0x4e0000 [0045.928] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x5064d8 | out: hHeap=0x4e0000) returned 1 [0045.928] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0045.928] WriteFile (in: hFile=0x210, lpBuffer=0x4ffe10*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x2d8eb24, lpOverlapped=0x0 | out: lpBuffer=0x4ffe10*, lpNumberOfBytesWritten=0x2d8eb24*=0x300, lpOverlapped=0x0) returned 1 [0045.929] WriteFile (in: hFile=0x210, lpBuffer=0x2d8ea70*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x2d8eb24, lpOverlapped=0x0 | out: lpBuffer=0x2d8ea70*, lpNumberOfBytesWritten=0x2d8eb24*=0x80, lpOverlapped=0x0) returned 1 [0045.929] WriteFile (in: hFile=0x210, lpBuffer=0x186230*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2d8eb24, lpOverlapped=0x0 | out: lpBuffer=0x186230*, lpNumberOfBytesWritten=0x2d8eb24*=0x4, lpOverlapped=0x0) returned 1 [0045.929] CloseHandle (hObject=0x210) returned 1 [0045.929] GetProcessHeap () returned 0x4e0000 [0045.929] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x400) returned 0x543630 [0045.929] wnsprintfW (in: pszDest=0x543630, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\OUTLLIBR.DLL.trx_dll_forv_{KNUJ5K}.for") returned 90 [0045.929] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\OUTLLIBR.DLL.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\3082\\outllibr.dll.trx_dll"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\OUTLLIBR.DLL.trx_dll_forv_{KNUJ5K}.for" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\3082\\outllibr.dll.trx_dll_forv_{knuj5k}.for")) returned 1 [0045.930] GetProcessHeap () returned 0x4e0000 [0045.930] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x543630 | out: hHeap=0x4e0000) returned 1 [0045.930] FindNextFileW (in: hFindFile=0x535ba0, lpFindFileData=0x2d8eb60 | out: lpFindFileData=0x2d8eb60*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x302da400, ftCreationTime.dwHighDateTime=0x1caca12, ftLastAccessTime.dwLowDateTime=0xeef739f0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0x302da400, ftLastWriteTime.dwHighDateTime=0x1caca12, nFileSizeHigh=0x0, nFileSizeLow=0x9f560, dwReserved0=0x2d8eba8, dwReserved1=0x771791c9, cFileName="OUTLLIBR.REST.trx_dll", cAlternateFileName="OUTLLI~2.TRX")) returned 1 [0045.930] lstrcmpiW (lpString1="OUTLLIBR.REST.trx_dll", lpString2="Windows") returned -1 [0045.930] lstrcmpiW (lpString1="OUTLLIBR.REST.trx_dll", lpString2="$Recycle.bin") returned 1 [0045.930] lstrcmpiW (lpString1="OUTLLIBR.REST.trx_dll", lpString2="System Volume Information") returned -1 [0045.930] lstrcmpiW (lpString1="OUTLLIBR.REST.trx_dll", lpString2="Program Files") returned -1 [0045.930] lstrcmpiW (lpString1="OUTLLIBR.REST.trx_dll", lpString2="Program Files (x86)") returned -1 [0045.930] wnsprintfW (in: pszDest=0x543228, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\OUTLLIBR.REST.trx_dll") returned 73 [0045.930] StrStrIW (lpFirst="OUTLLIBR.REST.trx_dll", lpSrch=".for") returned 0x0 [0045.930] lstrcmpW (lpString1="OUTLLIBR.REST.trx_dll", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0045.930] lstrcmpW (lpString1="OUTLLIBR.REST.trx_dll", lpString2="taridd") returned -1 [0045.930] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\OUTLLIBR.REST.trx_dll", lpStr2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\3pRMMVYZl7L6YCH05Qf1aBB2Nvhrv3", nChar=122) returned -1 [0045.930] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\OUTLLIBR.REST.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\3082\\outllibr.rest.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x210 [0045.930] GetTickCount () returned 0x1145f02 [0045.930] GetTickCount () returned 0x1145f02 [0045.930] GetTickCount () returned 0x1145f02 [0045.930] GetTickCount () returned 0x1145f02 [0045.930] CryptEncrypt (in: hKey=0x4ff5a8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d8ea70*, pdwDataLen=0x2d8eb20*=0x2c, dwBufLen=0x80 | out: pbData=0x2d8ea70*, pdwDataLen=0x2d8eb20*=0x80) returned 1 [0045.931] GetProcessHeap () returned 0x4e0000 [0045.931] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x2800) returned 0x5064d8 [0045.931] ReadFile (in: hFile=0x210, lpBuffer=0x5064d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2d8eb24, lpOverlapped=0x0 | out: lpBuffer=0x5064d8*, lpNumberOfBytesRead=0x2d8eb24*=0x2800, lpOverlapped=0x0) returned 1 [0045.932] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0045.932] WriteFile (in: hFile=0x210, lpBuffer=0x5064d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2d8eb24, lpOverlapped=0x0 | out: lpBuffer=0x5064d8*, lpNumberOfBytesWritten=0x2d8eb24*=0x2800, lpOverlapped=0x0) returned 1 [0045.933] GetProcessHeap () returned 0x4e0000 [0045.933] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x5064d8 | out: hHeap=0x4e0000) returned 1 [0045.933] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0045.933] WriteFile (in: hFile=0x210, lpBuffer=0x4ffe10*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x2d8eb24, lpOverlapped=0x0 | out: lpBuffer=0x4ffe10*, lpNumberOfBytesWritten=0x2d8eb24*=0x300, lpOverlapped=0x0) returned 1 [0045.935] WriteFile (in: hFile=0x210, lpBuffer=0x2d8ea70*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x2d8eb24, lpOverlapped=0x0 | out: lpBuffer=0x2d8ea70*, lpNumberOfBytesWritten=0x2d8eb24*=0x80, lpOverlapped=0x0) returned 1 [0045.935] WriteFile (in: hFile=0x210, lpBuffer=0x186230*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2d8eb24, lpOverlapped=0x0 | out: lpBuffer=0x186230*, lpNumberOfBytesWritten=0x2d8eb24*=0x4, lpOverlapped=0x0) returned 1 [0045.935] CloseHandle (hObject=0x210) returned 1 [0045.935] GetProcessHeap () returned 0x4e0000 [0045.935] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x400) returned 0x543630 [0045.935] wnsprintfW (in: pszDest=0x543630, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\OUTLLIBR.REST.trx_dll_forv_{KNUJ5K}.for") returned 91 [0045.935] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\OUTLLIBR.REST.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\3082\\outllibr.rest.trx_dll"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\OUTLLIBR.REST.trx_dll_forv_{KNUJ5K}.for" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\3082\\outllibr.rest.trx_dll_forv_{knuj5k}.for")) returned 1 [0045.935] GetProcessHeap () returned 0x4e0000 [0045.936] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x543630 | out: hHeap=0x4e0000) returned 1 [0045.936] FindNextFileW (in: hFindFile=0x535ba0, lpFindFileData=0x2d8eb60 | out: lpFindFileData=0x2d8eb60*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x315ed100, ftCreationTime.dwHighDateTime=0x1caca12, ftLastAccessTime.dwLowDateTime=0xeef739f0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0x315ed100, ftLastWriteTime.dwHighDateTime=0x1caca12, nFileSizeHigh=0x0, nFileSizeLow=0x2d60, dwReserved0=0x2d8eba8, dwReserved1=0x771791c9, cFileName="OUTLWVW.DLL.trx_dll", cAlternateFileName="OUTLWV~1.TRX")) returned 1 [0045.936] lstrcmpiW (lpString1="OUTLWVW.DLL.trx_dll", lpString2="Windows") returned -1 [0045.936] lstrcmpiW (lpString1="OUTLWVW.DLL.trx_dll", lpString2="$Recycle.bin") returned 1 [0045.936] lstrcmpiW (lpString1="OUTLWVW.DLL.trx_dll", lpString2="System Volume Information") returned -1 [0045.936] lstrcmpiW (lpString1="OUTLWVW.DLL.trx_dll", lpString2="Program Files") returned -1 [0045.936] lstrcmpiW (lpString1="OUTLWVW.DLL.trx_dll", lpString2="Program Files (x86)") returned -1 [0045.936] wnsprintfW (in: pszDest=0x543228, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\OUTLWVW.DLL.trx_dll") returned 71 [0045.936] StrStrIW (lpFirst="OUTLWVW.DLL.trx_dll", lpSrch=".for") returned 0x0 [0045.936] lstrcmpW (lpString1="OUTLWVW.DLL.trx_dll", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0045.936] lstrcmpW (lpString1="OUTLWVW.DLL.trx_dll", lpString2="taridd") returned -1 [0045.936] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\OUTLWVW.DLL.trx_dll", lpStr2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\3pRMMVYZl7L6YCH05Qf1aBB2Nvhrv3", nChar=122) returned -1 [0045.936] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\OUTLWVW.DLL.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\3082\\outlwvw.dll.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x210 [0045.936] GetTickCount () returned 0x1145f02 [0045.936] GetTickCount () returned 0x1145f02 [0045.936] GetTickCount () returned 0x1145f02 [0045.936] GetTickCount () returned 0x1145f02 [0045.936] CryptEncrypt (in: hKey=0x4ff5a8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d8ea70*, pdwDataLen=0x2d8eb20*=0x2c, dwBufLen=0x80 | out: pbData=0x2d8ea70*, pdwDataLen=0x2d8eb20*=0x80) returned 1 [0045.936] GetProcessHeap () returned 0x4e0000 [0045.936] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x2800) returned 0x5064d8 [0045.936] ReadFile (in: hFile=0x210, lpBuffer=0x5064d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2d8eb24, lpOverlapped=0x0 | out: lpBuffer=0x5064d8*, lpNumberOfBytesRead=0x2d8eb24*=0x2800, lpOverlapped=0x0) returned 1 [0045.938] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0045.938] WriteFile (in: hFile=0x210, lpBuffer=0x5064d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2d8eb24, lpOverlapped=0x0 | out: lpBuffer=0x5064d8*, lpNumberOfBytesWritten=0x2d8eb24*=0x2800, lpOverlapped=0x0) returned 1 [0045.938] GetProcessHeap () returned 0x4e0000 [0045.938] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x5064d8 | out: hHeap=0x4e0000) returned 1 [0045.938] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0045.938] WriteFile (in: hFile=0x210, lpBuffer=0x4ffe10*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x2d8eb24, lpOverlapped=0x0 | out: lpBuffer=0x4ffe10*, lpNumberOfBytesWritten=0x2d8eb24*=0x300, lpOverlapped=0x0) returned 1 [0045.939] WriteFile (in: hFile=0x210, lpBuffer=0x2d8ea70*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x2d8eb24, lpOverlapped=0x0 | out: lpBuffer=0x2d8ea70*, lpNumberOfBytesWritten=0x2d8eb24*=0x80, lpOverlapped=0x0) returned 1 [0045.939] WriteFile (in: hFile=0x210, lpBuffer=0x186230*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2d8eb24, lpOverlapped=0x0 | out: lpBuffer=0x186230*, lpNumberOfBytesWritten=0x2d8eb24*=0x4, lpOverlapped=0x0) returned 1 [0045.939] CloseHandle (hObject=0x210) returned 1 [0045.939] GetProcessHeap () returned 0x4e0000 [0045.939] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x400) returned 0x543630 [0045.939] wnsprintfW (in: pszDest=0x543630, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\OUTLWVW.DLL.trx_dll_forv_{KNUJ5K}.for") returned 89 [0045.939] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\OUTLWVW.DLL.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\3082\\outlwvw.dll.trx_dll"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\OUTLWVW.DLL.trx_dll_forv_{KNUJ5K}.for" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\3082\\outlwvw.dll.trx_dll_forv_{knuj5k}.for")) returned 1 [0045.939] GetProcessHeap () returned 0x4e0000 [0045.939] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x543630 | out: hHeap=0x4e0000) returned 1 [0045.939] FindNextFileW (in: hFindFile=0x535ba0, lpFindFileData=0x2d8eb60 | out: lpFindFileData=0x2d8eb60*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x1a4a9400, ftCreationTime.dwHighDateTime=0x1cac804, ftLastAccessTime.dwLowDateTime=0xef00bf70, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0x1a4a9400, ftLastWriteTime.dwHighDateTime=0x1cac804, nFileSizeHigh=0x0, nFileSizeLow=0xd160, dwReserved0=0x2d8eba8, dwReserved1=0x771791c9, cFileName="PPINTL.DLL.trx_dll", cAlternateFileName="PPINTL~1.TRX")) returned 1 [0045.939] lstrcmpiW (lpString1="PPINTL.DLL.trx_dll", lpString2="Windows") returned -1 [0045.939] lstrcmpiW (lpString1="PPINTL.DLL.trx_dll", lpString2="$Recycle.bin") returned 1 [0045.939] lstrcmpiW (lpString1="PPINTL.DLL.trx_dll", lpString2="System Volume Information") returned -1 [0045.940] lstrcmpiW (lpString1="PPINTL.DLL.trx_dll", lpString2="Program Files") returned -1 [0045.940] lstrcmpiW (lpString1="PPINTL.DLL.trx_dll", lpString2="Program Files (x86)") returned -1 [0045.940] wnsprintfW (in: pszDest=0x543228, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\PPINTL.DLL.trx_dll") returned 70 [0045.940] StrStrIW (lpFirst="PPINTL.DLL.trx_dll", lpSrch=".for") returned 0x0 [0045.940] lstrcmpW (lpString1="PPINTL.DLL.trx_dll", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0045.940] lstrcmpW (lpString1="PPINTL.DLL.trx_dll", lpString2="taridd") returned -1 [0045.940] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\PPINTL.DLL.trx_dll", lpStr2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\3pRMMVYZl7L6YCH05Qf1aBB2Nvhrv3", nChar=122) returned -1 [0045.940] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\PPINTL.DLL.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\3082\\ppintl.dll.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x210 [0045.940] GetTickCount () returned 0x1145f02 [0045.940] GetTickCount () returned 0x1145f02 [0045.940] GetTickCount () returned 0x1145f02 [0045.940] GetTickCount () returned 0x1145f02 [0045.940] CryptEncrypt (in: hKey=0x4ff5a8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d8ea70*, pdwDataLen=0x2d8eb20*=0x2c, dwBufLen=0x80 | out: pbData=0x2d8ea70*, pdwDataLen=0x2d8eb20*=0x80) returned 1 [0045.940] GetProcessHeap () returned 0x4e0000 [0045.940] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x2800) returned 0x5064d8 [0045.940] ReadFile (in: hFile=0x210, lpBuffer=0x5064d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2d8eb24, lpOverlapped=0x0 | out: lpBuffer=0x5064d8*, lpNumberOfBytesRead=0x2d8eb24*=0x2800, lpOverlapped=0x0) returned 1 [0045.942] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0045.942] WriteFile (in: hFile=0x210, lpBuffer=0x5064d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2d8eb24, lpOverlapped=0x0 | out: lpBuffer=0x5064d8*, lpNumberOfBytesWritten=0x2d8eb24*=0x2800, lpOverlapped=0x0) returned 1 [0045.943] GetProcessHeap () returned 0x4e0000 [0045.943] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x5064d8 | out: hHeap=0x4e0000) returned 1 [0045.943] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0045.943] WriteFile (in: hFile=0x210, lpBuffer=0x4ffe10*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x2d8eb24, lpOverlapped=0x0 | out: lpBuffer=0x4ffe10*, lpNumberOfBytesWritten=0x2d8eb24*=0x300, lpOverlapped=0x0) returned 1 [0045.943] WriteFile (in: hFile=0x210, lpBuffer=0x2d8ea70*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x2d8eb24, lpOverlapped=0x0 | out: lpBuffer=0x2d8ea70*, lpNumberOfBytesWritten=0x2d8eb24*=0x80, lpOverlapped=0x0) returned 1 [0045.943] WriteFile (in: hFile=0x210, lpBuffer=0x186230*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2d8eb24, lpOverlapped=0x0 | out: lpBuffer=0x186230*, lpNumberOfBytesWritten=0x2d8eb24*=0x4, lpOverlapped=0x0) returned 1 [0045.943] CloseHandle (hObject=0x210) returned 1 [0045.943] GetProcessHeap () returned 0x4e0000 [0045.943] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x400) returned 0x543630 [0045.943] wnsprintfW (in: pszDest=0x543630, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\PPINTL.DLL.trx_dll_forv_{KNUJ5K}.for") returned 88 [0045.943] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\PPINTL.DLL.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\3082\\ppintl.dll.trx_dll"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\PPINTL.DLL.trx_dll_forv_{KNUJ5K}.for" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\3082\\ppintl.dll.trx_dll_forv_{knuj5k}.for")) returned 1 [0045.944] GetProcessHeap () returned 0x4e0000 [0045.944] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x543630 | out: hHeap=0x4e0000) returned 1 [0045.944] FindNextFileW (in: hFindFile=0x535ba0, lpFindFileData=0x2d8eb60 | out: lpFindFileData=0x2d8eb60*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x19196700, ftCreationTime.dwHighDateTime=0x1cac804, ftLastAccessTime.dwLowDateTime=0xef00bf70, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0x19196700, ftLastWriteTime.dwHighDateTime=0x1cac804, nFileSizeHigh=0x0, nFileSizeLow=0x43560, dwReserved0=0x2d8eba8, dwReserved1=0x771791c9, cFileName="PPINTL.REST.trx_dll", cAlternateFileName="PPINTL~2.TRX")) returned 1 [0045.944] lstrcmpiW (lpString1="PPINTL.REST.trx_dll", lpString2="Windows") returned -1 [0045.944] lstrcmpiW (lpString1="PPINTL.REST.trx_dll", lpString2="$Recycle.bin") returned 1 [0045.944] lstrcmpiW (lpString1="PPINTL.REST.trx_dll", lpString2="System Volume Information") returned -1 [0045.944] lstrcmpiW (lpString1="PPINTL.REST.trx_dll", lpString2="Program Files") returned -1 [0045.944] lstrcmpiW (lpString1="PPINTL.REST.trx_dll", lpString2="Program Files (x86)") returned -1 [0045.944] wnsprintfW (in: pszDest=0x543228, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\PPINTL.REST.trx_dll") returned 71 [0045.944] StrStrIW (lpFirst="PPINTL.REST.trx_dll", lpSrch=".for") returned 0x0 [0045.944] lstrcmpW (lpString1="PPINTL.REST.trx_dll", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0045.944] lstrcmpW (lpString1="PPINTL.REST.trx_dll", lpString2="taridd") returned -1 [0045.944] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\PPINTL.REST.trx_dll", lpStr2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\3pRMMVYZl7L6YCH05Qf1aBB2Nvhrv3", nChar=122) returned -1 [0045.944] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\PPINTL.REST.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\3082\\ppintl.rest.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x210 [0045.944] GetTickCount () returned 0x1145f11 [0045.944] GetTickCount () returned 0x1145f11 [0045.944] GetTickCount () returned 0x1145f11 [0045.944] GetTickCount () returned 0x1145f11 [0045.944] CryptEncrypt (in: hKey=0x4ff5a8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d8ea70*, pdwDataLen=0x2d8eb20*=0x2c, dwBufLen=0x80 | out: pbData=0x2d8ea70*, pdwDataLen=0x2d8eb20*=0x80) returned 1 [0045.944] GetProcessHeap () returned 0x4e0000 [0045.944] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x2800) returned 0x5064d8 [0045.944] ReadFile (in: hFile=0x210, lpBuffer=0x5064d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2d8eb24, lpOverlapped=0x0 | out: lpBuffer=0x5064d8*, lpNumberOfBytesRead=0x2d8eb24*=0x2800, lpOverlapped=0x0) returned 1 [0045.946] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0045.946] WriteFile (in: hFile=0x210, lpBuffer=0x5064d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2d8eb24, lpOverlapped=0x0 | out: lpBuffer=0x5064d8*, lpNumberOfBytesWritten=0x2d8eb24*=0x2800, lpOverlapped=0x0) returned 1 [0045.947] GetProcessHeap () returned 0x4e0000 [0045.947] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x5064d8 | out: hHeap=0x4e0000) returned 1 [0045.947] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0045.947] WriteFile (in: hFile=0x210, lpBuffer=0x4ffe10*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x2d8eb24, lpOverlapped=0x0 | out: lpBuffer=0x4ffe10*, lpNumberOfBytesWritten=0x2d8eb24*=0x300, lpOverlapped=0x0) returned 1 [0045.949] WriteFile (in: hFile=0x210, lpBuffer=0x2d8ea70*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x2d8eb24, lpOverlapped=0x0 | out: lpBuffer=0x2d8ea70*, lpNumberOfBytesWritten=0x2d8eb24*=0x80, lpOverlapped=0x0) returned 1 [0045.949] WriteFile (in: hFile=0x210, lpBuffer=0x186230*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2d8eb24, lpOverlapped=0x0 | out: lpBuffer=0x186230*, lpNumberOfBytesWritten=0x2d8eb24*=0x4, lpOverlapped=0x0) returned 1 [0045.949] CloseHandle (hObject=0x210) returned 1 [0045.949] GetProcessHeap () returned 0x4e0000 [0045.949] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x400) returned 0x543630 [0045.949] wnsprintfW (in: pszDest=0x543630, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\PPINTL.REST.trx_dll_forv_{KNUJ5K}.for") returned 89 [0045.949] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\PPINTL.REST.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\3082\\ppintl.rest.trx_dll"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\PPINTL.REST.trx_dll_forv_{KNUJ5K}.for" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\3082\\ppintl.rest.trx_dll_forv_{knuj5k}.for")) returned 1 [0045.950] GetProcessHeap () returned 0x4e0000 [0045.950] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x543630 | out: hHeap=0x4e0000) returned 1 [0045.950] FindNextFileW (in: hFindFile=0x535ba0, lpFindFileData=0x2d8eb60 | out: lpFindFileData=0x2d8eb60*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x58968200, ftCreationTime.dwHighDateTime=0x1cac809, ftLastAccessTime.dwLowDateTime=0xef00bf70, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0x58968200, ftLastWriteTime.dwHighDateTime=0x1cac809, nFileSizeHigh=0x0, nFileSizeLow=0x1a560, dwReserved0=0x2d8eba8, dwReserved1=0x771791c9, cFileName="PUB6INTL.DLL.trx_dll", cAlternateFileName="PUB6IN~1.TRX")) returned 1 [0045.950] lstrcmpiW (lpString1="PUB6INTL.DLL.trx_dll", lpString2="Windows") returned -1 [0045.950] lstrcmpiW (lpString1="PUB6INTL.DLL.trx_dll", lpString2="$Recycle.bin") returned 1 [0045.950] lstrcmpiW (lpString1="PUB6INTL.DLL.trx_dll", lpString2="System Volume Information") returned -1 [0045.950] lstrcmpiW (lpString1="PUB6INTL.DLL.trx_dll", lpString2="Program Files") returned 1 [0045.950] lstrcmpiW (lpString1="PUB6INTL.DLL.trx_dll", lpString2="Program Files (x86)") returned 1 [0045.950] wnsprintfW (in: pszDest=0x543228, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\PUB6INTL.DLL.trx_dll") returned 72 [0045.950] StrStrIW (lpFirst="PUB6INTL.DLL.trx_dll", lpSrch=".for") returned 0x0 [0045.950] lstrcmpW (lpString1="PUB6INTL.DLL.trx_dll", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0045.950] lstrcmpW (lpString1="PUB6INTL.DLL.trx_dll", lpString2="taridd") returned -1 [0045.950] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\PUB6INTL.DLL.trx_dll", lpStr2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\3pRMMVYZl7L6YCH05Qf1aBB2Nvhrv3", nChar=122) returned -1 [0045.950] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\PUB6INTL.DLL.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\3082\\pub6intl.dll.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x210 [0045.950] GetTickCount () returned 0x1145f11 [0045.950] GetTickCount () returned 0x1145f11 [0045.950] GetTickCount () returned 0x1145f11 [0045.950] GetTickCount () returned 0x1145f11 [0045.950] CryptEncrypt (in: hKey=0x4ff5a8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d8ea70*, pdwDataLen=0x2d8eb20*=0x2c, dwBufLen=0x80 | out: pbData=0x2d8ea70*, pdwDataLen=0x2d8eb20*=0x80) returned 1 [0045.950] GetProcessHeap () returned 0x4e0000 [0045.950] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x2800) returned 0x5064d8 [0045.950] ReadFile (in: hFile=0x210, lpBuffer=0x5064d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2d8eb24, lpOverlapped=0x0 | out: lpBuffer=0x5064d8*, lpNumberOfBytesRead=0x2d8eb24*=0x2800, lpOverlapped=0x0) returned 1 [0045.952] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0045.953] WriteFile (in: hFile=0x210, lpBuffer=0x5064d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2d8eb24, lpOverlapped=0x0 | out: lpBuffer=0x5064d8*, lpNumberOfBytesWritten=0x2d8eb24*=0x2800, lpOverlapped=0x0) returned 1 [0045.953] GetProcessHeap () returned 0x4e0000 [0045.953] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x5064d8 | out: hHeap=0x4e0000) returned 1 [0045.953] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0045.953] WriteFile (in: hFile=0x210, lpBuffer=0x4ffe10*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x2d8eb24, lpOverlapped=0x0 | out: lpBuffer=0x4ffe10*, lpNumberOfBytesWritten=0x2d8eb24*=0x300, lpOverlapped=0x0) returned 1 [0045.953] WriteFile (in: hFile=0x210, lpBuffer=0x2d8ea70*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x2d8eb24, lpOverlapped=0x0 | out: lpBuffer=0x2d8ea70*, lpNumberOfBytesWritten=0x2d8eb24*=0x80, lpOverlapped=0x0) returned 1 [0045.953] WriteFile (in: hFile=0x210, lpBuffer=0x186230*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2d8eb24, lpOverlapped=0x0 | out: lpBuffer=0x186230*, lpNumberOfBytesWritten=0x2d8eb24*=0x4, lpOverlapped=0x0) returned 1 [0045.953] CloseHandle (hObject=0x210) returned 1 [0045.953] GetProcessHeap () returned 0x4e0000 [0045.953] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x400) returned 0x543630 [0045.953] wnsprintfW (in: pszDest=0x543630, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\PUB6INTL.DLL.trx_dll_forv_{KNUJ5K}.for") returned 90 [0045.953] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\PUB6INTL.DLL.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\3082\\pub6intl.dll.trx_dll"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\PUB6INTL.DLL.trx_dll_forv_{KNUJ5K}.for" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\3082\\pub6intl.dll.trx_dll_forv_{knuj5k}.for")) returned 1 [0045.954] GetProcessHeap () returned 0x4e0000 [0045.954] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x543630 | out: hHeap=0x4e0000) returned 1 [0045.954] FindNextFileW (in: hFindFile=0x535ba0, lpFindFileData=0x2d8eb60 | out: lpFindFileData=0x2d8eb60*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x57655500, ftCreationTime.dwHighDateTime=0x1cac809, ftLastAccessTime.dwLowDateTime=0xef0320d0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0x57655500, ftLastWriteTime.dwHighDateTime=0x1cac809, nFileSizeHigh=0x0, nFileSizeLow=0x87f60, dwReserved0=0x2d8eba8, dwReserved1=0x771791c9, cFileName="PUB6INTL.REST.trx_dll", cAlternateFileName="PUB6IN~2.TRX")) returned 1 [0045.954] lstrcmpiW (lpString1="PUB6INTL.REST.trx_dll", lpString2="Windows") returned -1 [0045.954] lstrcmpiW (lpString1="PUB6INTL.REST.trx_dll", lpString2="$Recycle.bin") returned 1 [0045.954] lstrcmpiW (lpString1="PUB6INTL.REST.trx_dll", lpString2="System Volume Information") returned -1 [0045.954] lstrcmpiW (lpString1="PUB6INTL.REST.trx_dll", lpString2="Program Files") returned 1 [0045.954] lstrcmpiW (lpString1="PUB6INTL.REST.trx_dll", lpString2="Program Files (x86)") returned 1 [0045.954] wnsprintfW (in: pszDest=0x543228, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\PUB6INTL.REST.trx_dll") returned 73 [0045.954] StrStrIW (lpFirst="PUB6INTL.REST.trx_dll", lpSrch=".for") returned 0x0 [0045.954] lstrcmpW (lpString1="PUB6INTL.REST.trx_dll", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0045.954] lstrcmpW (lpString1="PUB6INTL.REST.trx_dll", lpString2="taridd") returned -1 [0045.954] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\PUB6INTL.REST.trx_dll", lpStr2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\3pRMMVYZl7L6YCH05Qf1aBB2Nvhrv3", nChar=122) returned -1 [0045.954] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\PUB6INTL.REST.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\3082\\pub6intl.rest.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x210 [0045.954] GetTickCount () returned 0x1145f11 [0045.954] GetTickCount () returned 0x1145f11 [0045.954] GetTickCount () returned 0x1145f11 [0045.954] GetTickCount () returned 0x1145f11 [0045.955] CryptEncrypt (in: hKey=0x4ff5a8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d8ea70*, pdwDataLen=0x2d8eb20*=0x2c, dwBufLen=0x80 | out: pbData=0x2d8ea70*, pdwDataLen=0x2d8eb20*=0x80) returned 1 [0045.955] GetProcessHeap () returned 0x4e0000 [0045.955] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x2800) returned 0x5064d8 [0045.955] ReadFile (in: hFile=0x210, lpBuffer=0x5064d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2d8eb24, lpOverlapped=0x0 | out: lpBuffer=0x5064d8*, lpNumberOfBytesRead=0x2d8eb24*=0x2800, lpOverlapped=0x0) returned 1 [0045.956] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0045.956] WriteFile (in: hFile=0x210, lpBuffer=0x5064d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2d8eb24, lpOverlapped=0x0 | out: lpBuffer=0x5064d8*, lpNumberOfBytesWritten=0x2d8eb24*=0x2800, lpOverlapped=0x0) returned 1 [0045.957] GetProcessHeap () returned 0x4e0000 [0045.957] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x5064d8 | out: hHeap=0x4e0000) returned 1 [0045.957] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0045.957] WriteFile (in: hFile=0x210, lpBuffer=0x4ffe10*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x2d8eb24, lpOverlapped=0x0 | out: lpBuffer=0x4ffe10*, lpNumberOfBytesWritten=0x2d8eb24*=0x300, lpOverlapped=0x0) returned 1 [0045.959] WriteFile (in: hFile=0x210, lpBuffer=0x2d8ea70*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x2d8eb24, lpOverlapped=0x0 | out: lpBuffer=0x2d8ea70*, lpNumberOfBytesWritten=0x2d8eb24*=0x80, lpOverlapped=0x0) returned 1 [0045.960] WriteFile (in: hFile=0x210, lpBuffer=0x186230*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2d8eb24, lpOverlapped=0x0 | out: lpBuffer=0x186230*, lpNumberOfBytesWritten=0x2d8eb24*=0x4, lpOverlapped=0x0) returned 1 [0045.960] CloseHandle (hObject=0x210) returned 1 [0045.960] GetProcessHeap () returned 0x4e0000 [0045.960] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x400) returned 0x543630 [0045.960] wnsprintfW (in: pszDest=0x543630, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\PUB6INTL.REST.trx_dll_forv_{KNUJ5K}.for") returned 91 [0045.960] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\PUB6INTL.REST.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\3082\\pub6intl.rest.trx_dll"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\PUB6INTL.REST.trx_dll_forv_{KNUJ5K}.for" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\3082\\pub6intl.rest.trx_dll_forv_{knuj5k}.for")) returned 1 [0045.960] GetProcessHeap () returned 0x4e0000 [0045.960] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x543630 | out: hHeap=0x4e0000) returned 1 [0045.960] FindNextFileW (in: hFindFile=0x535ba0, lpFindFileData=0x2d8eb60 | out: lpFindFileData=0x2d8eb60*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x2720b500, ftCreationTime.dwHighDateTime=0x1cac80f, ftLastAccessTime.dwLowDateTime=0xef0320d0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0x2720b500, ftLastWriteTime.dwHighDateTime=0x1cac80f, nFileSizeHigh=0x0, nFileSizeLow=0x57f60, dwReserved0=0x2d8eba8, dwReserved1=0x771791c9, cFileName="PUBWZINT.REST.trx_dll", cAlternateFileName="PUBWZI~1.TRX")) returned 1 [0045.961] lstrcmpiW (lpString1="PUBWZINT.REST.trx_dll", lpString2="Windows") returned -1 [0045.961] lstrcmpiW (lpString1="PUBWZINT.REST.trx_dll", lpString2="$Recycle.bin") returned 1 [0045.961] lstrcmpiW (lpString1="PUBWZINT.REST.trx_dll", lpString2="System Volume Information") returned -1 [0045.961] lstrcmpiW (lpString1="PUBWZINT.REST.trx_dll", lpString2="Program Files") returned 1 [0045.961] lstrcmpiW (lpString1="PUBWZINT.REST.trx_dll", lpString2="Program Files (x86)") returned 1 [0045.961] wnsprintfW (in: pszDest=0x543228, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\PUBWZINT.REST.trx_dll") returned 73 [0045.961] StrStrIW (lpFirst="PUBWZINT.REST.trx_dll", lpSrch=".for") returned 0x0 [0045.961] lstrcmpW (lpString1="PUBWZINT.REST.trx_dll", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0045.961] lstrcmpW (lpString1="PUBWZINT.REST.trx_dll", lpString2="taridd") returned -1 [0045.961] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\PUBWZINT.REST.trx_dll", lpStr2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\3pRMMVYZl7L6YCH05Qf1aBB2Nvhrv3", nChar=122) returned -1 [0045.961] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\PUBWZINT.REST.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\3082\\pubwzint.rest.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x210 [0045.961] GetTickCount () returned 0x1145f21 [0045.961] GetTickCount () returned 0x1145f21 [0045.961] GetTickCount () returned 0x1145f21 [0045.961] GetTickCount () returned 0x1145f21 [0045.961] CryptEncrypt (in: hKey=0x4ff5a8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d8ea70*, pdwDataLen=0x2d8eb20*=0x2c, dwBufLen=0x80 | out: pbData=0x2d8ea70*, pdwDataLen=0x2d8eb20*=0x80) returned 1 [0045.961] GetProcessHeap () returned 0x4e0000 [0045.961] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x2800) returned 0x5064d8 [0045.961] ReadFile (in: hFile=0x210, lpBuffer=0x5064d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2d8eb24, lpOverlapped=0x0 | out: lpBuffer=0x5064d8*, lpNumberOfBytesRead=0x2d8eb24*=0x2800, lpOverlapped=0x0) returned 1 [0045.963] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0045.963] WriteFile (in: hFile=0x210, lpBuffer=0x5064d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2d8eb24, lpOverlapped=0x0 | out: lpBuffer=0x5064d8*, lpNumberOfBytesWritten=0x2d8eb24*=0x2800, lpOverlapped=0x0) returned 1 [0045.963] GetProcessHeap () returned 0x4e0000 [0045.963] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x5064d8 | out: hHeap=0x4e0000) returned 1 [0045.963] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0045.963] WriteFile (in: hFile=0x210, lpBuffer=0x4ffe10*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x2d8eb24, lpOverlapped=0x0 | out: lpBuffer=0x4ffe10*, lpNumberOfBytesWritten=0x2d8eb24*=0x300, lpOverlapped=0x0) returned 1 [0045.971] WriteFile (in: hFile=0x210, lpBuffer=0x2d8ea70*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x2d8eb24, lpOverlapped=0x0 | out: lpBuffer=0x2d8ea70*, lpNumberOfBytesWritten=0x2d8eb24*=0x80, lpOverlapped=0x0) returned 1 [0045.974] WriteFile (in: hFile=0x210, lpBuffer=0x186230*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2d8eb24, lpOverlapped=0x0 | out: lpBuffer=0x186230*, lpNumberOfBytesWritten=0x2d8eb24*=0x4, lpOverlapped=0x0) returned 1 [0045.977] CloseHandle (hObject=0x210) returned 1 [0045.980] GetProcessHeap () returned 0x4e0000 [0045.983] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x400) returned 0x543630 [0045.983] wnsprintfW (in: pszDest=0x543630, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\PUBWZINT.REST.trx_dll_forv_{KNUJ5K}.for") returned 91 [0045.985] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\PUBWZINT.REST.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\3082\\pubwzint.rest.trx_dll"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\PUBWZINT.REST.trx_dll_forv_{KNUJ5K}.for" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\3082\\pubwzint.rest.trx_dll_forv_{knuj5k}.for")) returned 1 [0046.278] GetProcessHeap () returned 0x4e0000 [0046.279] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x543630 | out: hHeap=0x4e0000) returned 1 [0046.281] FindNextFileW (in: hFindFile=0x535ba0, lpFindFileData=0x2d8eb60 | out: lpFindFileData=0x2d8eb60*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x94d0df00, ftCreationTime.dwHighDateTime=0x1cac817, ftLastAccessTime.dwLowDateTime=0xef058230, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0x94d0df00, ftLastWriteTime.dwHighDateTime=0x1cac817, nFileSizeHigh=0x0, nFileSizeLow=0x3360, dwReserved0=0x2d8eba8, dwReserved1=0x771791c9, cFileName="SGRES.DLL.trx_dll", cAlternateFileName="SGRESD~1.TRX")) returned 1 [0046.281] lstrcmpiW (lpString1="SGRES.DLL.trx_dll", lpString2="Windows") returned -1 [0046.281] lstrcmpiW (lpString1="SGRES.DLL.trx_dll", lpString2="$Recycle.bin") returned 1 [0046.282] lstrcmpiW (lpString1="SGRES.DLL.trx_dll", lpString2="System Volume Information") returned -1 [0046.283] lstrcmpiW (lpString1="SGRES.DLL.trx_dll", lpString2="Program Files") returned 1 [0046.285] lstrcmpiW (lpString1="SGRES.DLL.trx_dll", lpString2="Program Files (x86)") returned 1 [0046.285] wnsprintfW (in: pszDest=0x543228, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\SGRES.DLL.trx_dll") returned 69 [0046.288] StrStrIW (lpFirst="SGRES.DLL.trx_dll", lpSrch=".for") returned 0x0 [0046.288] lstrcmpW (lpString1="SGRES.DLL.trx_dll", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0046.288] lstrcmpW (lpString1="SGRES.DLL.trx_dll", lpString2="taridd") returned -1 [0046.288] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\SGRES.DLL.trx_dll", lpStr2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\3pRMMVYZl7L6YCH05Qf1aBB2Nvhrv3", nChar=122) returned -1 [0046.288] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\SGRES.DLL.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\3082\\sgres.dll.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x210 [0046.288] GetTickCount () returned 0x1146069 [0046.288] GetTickCount () returned 0x1146069 [0046.288] GetTickCount () returned 0x1146069 [0046.288] GetTickCount () returned 0x1146069 [0046.288] CryptEncrypt (in: hKey=0x4ff5a8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d8ea70*, pdwDataLen=0x2d8eb20*=0x2c, dwBufLen=0x80 | out: pbData=0x2d8ea70*, pdwDataLen=0x2d8eb20*=0x80) returned 1 [0046.288] GetProcessHeap () returned 0x4e0000 [0046.288] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x2800) returned 0x5064d8 [0046.288] ReadFile (in: hFile=0x210, lpBuffer=0x5064d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2d8eb24, lpOverlapped=0x0 | out: lpBuffer=0x5064d8*, lpNumberOfBytesRead=0x2d8eb24*=0x2800, lpOverlapped=0x0) returned 1 [0046.294] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0046.294] WriteFile (in: hFile=0x210, lpBuffer=0x5064d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2d8eb24, lpOverlapped=0x0 | out: lpBuffer=0x5064d8*, lpNumberOfBytesWritten=0x2d8eb24*=0x2800, lpOverlapped=0x0) returned 1 [0046.295] GetProcessHeap () returned 0x4e0000 [0046.295] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x5064d8 | out: hHeap=0x4e0000) returned 1 [0046.295] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0046.295] WriteFile (in: hFile=0x210, lpBuffer=0x4ffe10*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x2d8eb24, lpOverlapped=0x0 | out: lpBuffer=0x4ffe10*, lpNumberOfBytesWritten=0x2d8eb24*=0x300, lpOverlapped=0x0) returned 1 [0046.295] WriteFile (in: hFile=0x210, lpBuffer=0x2d8ea70*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x2d8eb24, lpOverlapped=0x0 | out: lpBuffer=0x2d8ea70*, lpNumberOfBytesWritten=0x2d8eb24*=0x80, lpOverlapped=0x0) returned 1 [0046.295] WriteFile (in: hFile=0x210, lpBuffer=0x186230*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2d8eb24, lpOverlapped=0x0 | out: lpBuffer=0x186230*, lpNumberOfBytesWritten=0x2d8eb24*=0x4, lpOverlapped=0x0) returned 1 [0046.295] CloseHandle (hObject=0x210) returned 1 [0046.295] GetProcessHeap () returned 0x4e0000 [0046.295] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x400) returned 0x543630 [0046.295] wnsprintfW (in: pszDest=0x543630, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\SGRES.DLL.trx_dll_forv_{KNUJ5K}.for") returned 87 [0046.295] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\SGRES.DLL.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\3082\\sgres.dll.trx_dll"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\SGRES.DLL.trx_dll_forv_{KNUJ5K}.for" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\3082\\sgres.dll.trx_dll_forv_{knuj5k}.for")) returned 1 [0046.296] GetProcessHeap () returned 0x4e0000 [0046.296] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x543630 | out: hHeap=0x4e0000) returned 1 [0046.296] FindNextFileW (in: hFindFile=0x535ba0, lpFindFileData=0x2d8eb60 | out: lpFindFileData=0x2d8eb60*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xca190500, ftCreationTime.dwHighDateTime=0x1cac7f6, ftLastAccessTime.dwLowDateTime=0xef058230, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xca190500, ftLastWriteTime.dwHighDateTime=0x1cac7f6, nFileSizeHigh=0x0, nFileSizeLow=0x4360, dwReserved0=0x2d8eba8, dwReserved1=0x771791c9, cFileName="STINTL.DLL.trx_dll", cAlternateFileName="STINTL~1.TRX")) returned 1 [0046.296] lstrcmpiW (lpString1="STINTL.DLL.trx_dll", lpString2="Windows") returned -1 [0046.296] lstrcmpiW (lpString1="STINTL.DLL.trx_dll", lpString2="$Recycle.bin") returned 1 [0046.296] lstrcmpiW (lpString1="STINTL.DLL.trx_dll", lpString2="System Volume Information") returned -1 [0046.296] lstrcmpiW (lpString1="STINTL.DLL.trx_dll", lpString2="Program Files") returned 1 [0046.296] lstrcmpiW (lpString1="STINTL.DLL.trx_dll", lpString2="Program Files (x86)") returned 1 [0046.296] wnsprintfW (in: pszDest=0x543228, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\STINTL.DLL.trx_dll") returned 70 [0046.296] StrStrIW (lpFirst="STINTL.DLL.trx_dll", lpSrch=".for") returned 0x0 [0046.296] lstrcmpW (lpString1="STINTL.DLL.trx_dll", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0046.296] lstrcmpW (lpString1="STINTL.DLL.trx_dll", lpString2="taridd") returned -1 [0046.296] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\STINTL.DLL.trx_dll", lpStr2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\3pRMMVYZl7L6YCH05Qf1aBB2Nvhrv3", nChar=122) returned -1 [0046.296] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\STINTL.DLL.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\3082\\stintl.dll.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x210 [0046.296] GetTickCount () returned 0x1146069 [0046.296] GetTickCount () returned 0x1146069 [0046.296] GetTickCount () returned 0x1146069 [0046.296] GetTickCount () returned 0x1146069 [0046.296] CryptEncrypt (in: hKey=0x4ff5a8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d8ea70*, pdwDataLen=0x2d8eb20*=0x2c, dwBufLen=0x80 | out: pbData=0x2d8ea70*, pdwDataLen=0x2d8eb20*=0x80) returned 1 [0046.297] GetProcessHeap () returned 0x4e0000 [0046.297] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x2800) returned 0x5064d8 [0046.297] ReadFile (in: hFile=0x210, lpBuffer=0x5064d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2d8eb24, lpOverlapped=0x0 | out: lpBuffer=0x5064d8*, lpNumberOfBytesRead=0x2d8eb24*=0x2800, lpOverlapped=0x0) returned 1 [0046.298] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0046.298] WriteFile (in: hFile=0x210, lpBuffer=0x5064d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2d8eb24, lpOverlapped=0x0 | out: lpBuffer=0x5064d8*, lpNumberOfBytesWritten=0x2d8eb24*=0x2800, lpOverlapped=0x0) returned 1 [0046.299] GetProcessHeap () returned 0x4e0000 [0046.299] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x5064d8 | out: hHeap=0x4e0000) returned 1 [0046.299] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0046.299] WriteFile (in: hFile=0x210, lpBuffer=0x4ffe10*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x2d8eb24, lpOverlapped=0x0 | out: lpBuffer=0x4ffe10*, lpNumberOfBytesWritten=0x2d8eb24*=0x300, lpOverlapped=0x0) returned 1 [0046.299] WriteFile (in: hFile=0x210, lpBuffer=0x2d8ea70*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x2d8eb24, lpOverlapped=0x0 | out: lpBuffer=0x2d8ea70*, lpNumberOfBytesWritten=0x2d8eb24*=0x80, lpOverlapped=0x0) returned 1 [0046.299] WriteFile (in: hFile=0x210, lpBuffer=0x186230*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2d8eb24, lpOverlapped=0x0 | out: lpBuffer=0x186230*, lpNumberOfBytesWritten=0x2d8eb24*=0x4, lpOverlapped=0x0) returned 1 [0046.299] CloseHandle (hObject=0x210) returned 1 [0046.299] GetProcessHeap () returned 0x4e0000 [0046.299] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x400) returned 0x543630 [0046.300] wnsprintfW (in: pszDest=0x543630, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\STINTL.DLL.trx_dll_forv_{KNUJ5K}.for") returned 88 [0046.300] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\STINTL.DLL.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\3082\\stintl.dll.trx_dll"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\STINTL.DLL.trx_dll_forv_{KNUJ5K}.for" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\3082\\stintl.dll.trx_dll_forv_{knuj5k}.for")) returned 1 [0046.300] GetProcessHeap () returned 0x4e0000 [0046.300] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x543630 | out: hHeap=0x4e0000) returned 1 [0046.300] FindNextFileW (in: hFindFile=0x535ba0, lpFindFileData=0x2d8eb60 | out: lpFindFileData=0x2d8eb60*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xbf706700, ftCreationTime.dwHighDateTime=0x1cac81a, ftLastAccessTime.dwLowDateTime=0xef0a44f0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xbf706700, ftLastWriteTime.dwHighDateTime=0x1cac81a, nFileSizeHigh=0x0, nFileSizeLow=0x6960, dwReserved0=0x2d8eba8, dwReserved1=0x771791c9, cFileName="VISBRRES.DLL.trx_dll", cAlternateFileName="VISBRR~1.TRX")) returned 1 [0046.300] lstrcmpiW (lpString1="VISBRRES.DLL.trx_dll", lpString2="Windows") returned -1 [0046.300] lstrcmpiW (lpString1="VISBRRES.DLL.trx_dll", lpString2="$Recycle.bin") returned 1 [0046.300] lstrcmpiW (lpString1="VISBRRES.DLL.trx_dll", lpString2="System Volume Information") returned 1 [0046.300] lstrcmpiW (lpString1="VISBRRES.DLL.trx_dll", lpString2="Program Files") returned 1 [0046.300] lstrcmpiW (lpString1="VISBRRES.DLL.trx_dll", lpString2="Program Files (x86)") returned 1 [0046.300] wnsprintfW (in: pszDest=0x543228, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\VISBRRES.DLL.trx_dll") returned 72 [0046.300] StrStrIW (lpFirst="VISBRRES.DLL.trx_dll", lpSrch=".for") returned 0x0 [0046.300] lstrcmpW (lpString1="VISBRRES.DLL.trx_dll", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0046.300] lstrcmpW (lpString1="VISBRRES.DLL.trx_dll", lpString2="taridd") returned 1 [0046.300] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\VISBRRES.DLL.trx_dll", lpStr2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\3pRMMVYZl7L6YCH05Qf1aBB2Nvhrv3", nChar=122) returned -1 [0046.300] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\VISBRRES.DLL.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\3082\\visbrres.dll.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x210 [0046.301] GetTickCount () returned 0x1146078 [0046.301] GetTickCount () returned 0x1146078 [0046.301] GetTickCount () returned 0x1146078 [0046.301] GetTickCount () returned 0x1146078 [0046.301] CryptEncrypt (in: hKey=0x4ff5a8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d8ea70*, pdwDataLen=0x2d8eb20*=0x2c, dwBufLen=0x80 | out: pbData=0x2d8ea70*, pdwDataLen=0x2d8eb20*=0x80) returned 1 [0046.301] GetProcessHeap () returned 0x4e0000 [0046.301] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x2800) returned 0x5064d8 [0046.301] ReadFile (in: hFile=0x210, lpBuffer=0x5064d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2d8eb24, lpOverlapped=0x0 | out: lpBuffer=0x5064d8*, lpNumberOfBytesRead=0x2d8eb24*=0x2800, lpOverlapped=0x0) returned 1 [0046.303] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0046.303] WriteFile (in: hFile=0x210, lpBuffer=0x5064d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2d8eb24, lpOverlapped=0x0 | out: lpBuffer=0x5064d8*, lpNumberOfBytesWritten=0x2d8eb24*=0x2800, lpOverlapped=0x0) returned 1 [0046.304] GetProcessHeap () returned 0x4e0000 [0046.304] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x5064d8 | out: hHeap=0x4e0000) returned 1 [0046.304] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0046.304] WriteFile (in: hFile=0x210, lpBuffer=0x4ffe10*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x2d8eb24, lpOverlapped=0x0 | out: lpBuffer=0x4ffe10*, lpNumberOfBytesWritten=0x2d8eb24*=0x300, lpOverlapped=0x0) returned 1 [0046.304] WriteFile (in: hFile=0x210, lpBuffer=0x2d8ea70*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x2d8eb24, lpOverlapped=0x0 | out: lpBuffer=0x2d8ea70*, lpNumberOfBytesWritten=0x2d8eb24*=0x80, lpOverlapped=0x0) returned 1 [0046.304] WriteFile (in: hFile=0x210, lpBuffer=0x186230*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2d8eb24, lpOverlapped=0x0 | out: lpBuffer=0x186230*, lpNumberOfBytesWritten=0x2d8eb24*=0x4, lpOverlapped=0x0) returned 1 [0046.304] CloseHandle (hObject=0x210) returned 1 [0046.304] GetProcessHeap () returned 0x4e0000 [0046.304] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x400) returned 0x543630 [0046.304] wnsprintfW (in: pszDest=0x543630, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\VISBRRES.DLL.trx_dll_forv_{KNUJ5K}.for") returned 90 [0046.304] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\VISBRRES.DLL.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\3082\\visbrres.dll.trx_dll"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\VISBRRES.DLL.trx_dll_forv_{KNUJ5K}.for" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\3082\\visbrres.dll.trx_dll_forv_{knuj5k}.for")) returned 1 [0046.305] GetProcessHeap () returned 0x4e0000 [0046.305] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x543630 | out: hHeap=0x4e0000) returned 1 [0046.305] FindNextFileW (in: hFindFile=0x535ba0, lpFindFileData=0x2d8eb60 | out: lpFindFileData=0x2d8eb60*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x70273800, ftCreationTime.dwHighDateTime=0x1cac814, ftLastAccessTime.dwLowDateTime=0xef0a44f0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0x70273800, ftLastWriteTime.dwHighDateTime=0x1cac814, nFileSizeHigh=0x0, nFileSizeLow=0x73960, dwReserved0=0x2d8eba8, dwReserved1=0x771791c9, cFileName="VISINTL.DLL.trx_dll", cAlternateFileName="VISINT~1.TRX")) returned 1 [0046.305] lstrcmpiW (lpString1="VISINTL.DLL.trx_dll", lpString2="Windows") returned -1 [0046.305] lstrcmpiW (lpString1="VISINTL.DLL.trx_dll", lpString2="$Recycle.bin") returned 1 [0046.305] lstrcmpiW (lpString1="VISINTL.DLL.trx_dll", lpString2="System Volume Information") returned 1 [0046.305] lstrcmpiW (lpString1="VISINTL.DLL.trx_dll", lpString2="Program Files") returned 1 [0046.305] lstrcmpiW (lpString1="VISINTL.DLL.trx_dll", lpString2="Program Files (x86)") returned 1 [0046.305] wnsprintfW (in: pszDest=0x543228, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\VISINTL.DLL.trx_dll") returned 71 [0046.305] StrStrIW (lpFirst="VISINTL.DLL.trx_dll", lpSrch=".for") returned 0x0 [0046.305] lstrcmpW (lpString1="VISINTL.DLL.trx_dll", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0046.305] lstrcmpW (lpString1="VISINTL.DLL.trx_dll", lpString2="taridd") returned 1 [0046.305] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\VISINTL.DLL.trx_dll", lpStr2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\3pRMMVYZl7L6YCH05Qf1aBB2Nvhrv3", nChar=122) returned -1 [0046.305] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\VISINTL.DLL.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\3082\\visintl.dll.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x210 [0046.305] GetTickCount () returned 0x1146078 [0046.305] GetTickCount () returned 0x1146078 [0046.305] GetTickCount () returned 0x1146078 [0046.305] GetTickCount () returned 0x1146078 [0046.305] CryptEncrypt (in: hKey=0x4ff5a8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d8ea70*, pdwDataLen=0x2d8eb20*=0x2c, dwBufLen=0x80 | out: pbData=0x2d8ea70*, pdwDataLen=0x2d8eb20*=0x80) returned 1 [0046.305] GetProcessHeap () returned 0x4e0000 [0046.305] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x2800) returned 0x5064d8 [0046.305] ReadFile (in: hFile=0x210, lpBuffer=0x5064d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2d8eb24, lpOverlapped=0x0 | out: lpBuffer=0x5064d8*, lpNumberOfBytesRead=0x2d8eb24*=0x2800, lpOverlapped=0x0) returned 1 [0046.308] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0046.308] WriteFile (in: hFile=0x210, lpBuffer=0x5064d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2d8eb24, lpOverlapped=0x0 | out: lpBuffer=0x5064d8*, lpNumberOfBytesWritten=0x2d8eb24*=0x2800, lpOverlapped=0x0) returned 1 [0046.308] GetProcessHeap () returned 0x4e0000 [0046.308] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x5064d8 | out: hHeap=0x4e0000) returned 1 [0046.308] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0046.308] WriteFile (in: hFile=0x210, lpBuffer=0x4ffe10*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x2d8eb24, lpOverlapped=0x0 | out: lpBuffer=0x4ffe10*, lpNumberOfBytesWritten=0x2d8eb24*=0x300, lpOverlapped=0x0) returned 1 [0046.310] WriteFile (in: hFile=0x210, lpBuffer=0x2d8ea70*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x2d8eb24, lpOverlapped=0x0 | out: lpBuffer=0x2d8ea70*, lpNumberOfBytesWritten=0x2d8eb24*=0x80, lpOverlapped=0x0) returned 1 [0046.310] WriteFile (in: hFile=0x210, lpBuffer=0x186230*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2d8eb24, lpOverlapped=0x0 | out: lpBuffer=0x186230*, lpNumberOfBytesWritten=0x2d8eb24*=0x4, lpOverlapped=0x0) returned 1 [0046.310] CloseHandle (hObject=0x210) returned 1 [0046.310] GetProcessHeap () returned 0x4e0000 [0046.310] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x400) returned 0x543630 [0046.310] wnsprintfW (in: pszDest=0x543630, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\VISINTL.DLL.trx_dll_forv_{KNUJ5K}.for") returned 89 [0046.310] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\VISINTL.DLL.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\3082\\visintl.dll.trx_dll"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\VISINTL.DLL.trx_dll_forv_{KNUJ5K}.for" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\3082\\visintl.dll.trx_dll_forv_{knuj5k}.for")) returned 1 [0046.311] GetProcessHeap () returned 0x4e0000 [0046.311] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x543630 | out: hHeap=0x4e0000) returned 1 [0046.311] FindNextFileW (in: hFindFile=0x535ba0, lpFindFileData=0x2d8eb60 | out: lpFindFileData=0x2d8eb60*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xa1789a00, ftCreationTime.dwHighDateTime=0x1cacd25, ftLastAccessTime.dwLowDateTime=0xef0ca650, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xa1789a00, ftLastWriteTime.dwHighDateTime=0x1cacd25, nFileSizeHigh=0x0, nFileSizeLow=0x24360, dwReserved0=0x2d8eba8, dwReserved1=0x771791c9, cFileName="WWINTL.DLL.trx_dll", cAlternateFileName="WWINTL~1.TRX")) returned 1 [0046.311] lstrcmpiW (lpString1="WWINTL.DLL.trx_dll", lpString2="Windows") returned 1 [0046.311] lstrcmpiW (lpString1="WWINTL.DLL.trx_dll", lpString2="$Recycle.bin") returned 1 [0046.311] lstrcmpiW (lpString1="WWINTL.DLL.trx_dll", lpString2="System Volume Information") returned 1 [0046.311] lstrcmpiW (lpString1="WWINTL.DLL.trx_dll", lpString2="Program Files") returned 1 [0046.311] lstrcmpiW (lpString1="WWINTL.DLL.trx_dll", lpString2="Program Files (x86)") returned 1 [0046.311] wnsprintfW (in: pszDest=0x543228, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\WWINTL.DLL.trx_dll") returned 70 [0046.311] StrStrIW (lpFirst="WWINTL.DLL.trx_dll", lpSrch=".for") returned 0x0 [0046.311] lstrcmpW (lpString1="WWINTL.DLL.trx_dll", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0046.311] lstrcmpW (lpString1="WWINTL.DLL.trx_dll", lpString2="taridd") returned 1 [0046.311] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\WWINTL.DLL.trx_dll", lpStr2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\3pRMMVYZl7L6YCH05Qf1aBB2Nvhrv3", nChar=122) returned -1 [0046.311] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\WWINTL.DLL.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\3082\\wwintl.dll.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x210 [0046.311] GetTickCount () returned 0x1146078 [0046.311] GetTickCount () returned 0x1146078 [0046.311] GetTickCount () returned 0x1146078 [0046.311] GetTickCount () returned 0x1146078 [0046.311] CryptEncrypt (in: hKey=0x4ff5a8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d8ea70*, pdwDataLen=0x2d8eb20*=0x2c, dwBufLen=0x80 | out: pbData=0x2d8ea70*, pdwDataLen=0x2d8eb20*=0x80) returned 1 [0046.311] GetProcessHeap () returned 0x4e0000 [0046.312] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x2800) returned 0x5064d8 [0046.312] ReadFile (in: hFile=0x210, lpBuffer=0x5064d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2d8eb24, lpOverlapped=0x0 | out: lpBuffer=0x5064d8*, lpNumberOfBytesRead=0x2d8eb24*=0x2800, lpOverlapped=0x0) returned 1 [0046.314] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0046.314] WriteFile (in: hFile=0x210, lpBuffer=0x5064d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2d8eb24, lpOverlapped=0x0 | out: lpBuffer=0x5064d8*, lpNumberOfBytesWritten=0x2d8eb24*=0x2800, lpOverlapped=0x0) returned 1 [0046.314] GetProcessHeap () returned 0x4e0000 [0046.314] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x5064d8 | out: hHeap=0x4e0000) returned 1 [0046.314] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0046.315] WriteFile (in: hFile=0x210, lpBuffer=0x4ffe10*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x2d8eb24, lpOverlapped=0x0 | out: lpBuffer=0x4ffe10*, lpNumberOfBytesWritten=0x2d8eb24*=0x300, lpOverlapped=0x0) returned 1 [0046.315] WriteFile (in: hFile=0x210, lpBuffer=0x2d8ea70*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x2d8eb24, lpOverlapped=0x0 | out: lpBuffer=0x2d8ea70*, lpNumberOfBytesWritten=0x2d8eb24*=0x80, lpOverlapped=0x0) returned 1 [0046.316] WriteFile (in: hFile=0x210, lpBuffer=0x186230*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2d8eb24, lpOverlapped=0x0 | out: lpBuffer=0x186230*, lpNumberOfBytesWritten=0x2d8eb24*=0x4, lpOverlapped=0x0) returned 1 [0046.316] CloseHandle (hObject=0x210) returned 1 [0046.316] GetProcessHeap () returned 0x4e0000 [0046.316] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x400) returned 0x543630 [0046.316] wnsprintfW (in: pszDest=0x543630, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\WWINTL.DLL.trx_dll_forv_{KNUJ5K}.for") returned 88 [0046.316] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\WWINTL.DLL.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\3082\\wwintl.dll.trx_dll"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\WWINTL.DLL.trx_dll_forv_{KNUJ5K}.for" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\3082\\wwintl.dll.trx_dll_forv_{knuj5k}.for")) returned 1 [0046.317] GetProcessHeap () returned 0x4e0000 [0046.317] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x543630 | out: hHeap=0x4e0000) returned 1 [0046.317] FindNextFileW (in: hFindFile=0x535ba0, lpFindFileData=0x2d8eb60 | out: lpFindFileData=0x2d8eb60*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xa2a9c700, ftCreationTime.dwHighDateTime=0x1cacd25, ftLastAccessTime.dwLowDateTime=0xef0f07b0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xa2a9c700, ftLastWriteTime.dwHighDateTime=0x1cacd25, nFileSizeHigh=0x0, nFileSizeLow=0x110b60, dwReserved0=0x2d8eba8, dwReserved1=0x771791c9, cFileName="WWINTL.REST.trx_dll", cAlternateFileName="WWINTL~2.TRX")) returned 1 [0046.317] lstrcmpiW (lpString1="WWINTL.REST.trx_dll", lpString2="Windows") returned 1 [0046.317] lstrcmpiW (lpString1="WWINTL.REST.trx_dll", lpString2="$Recycle.bin") returned 1 [0046.317] lstrcmpiW (lpString1="WWINTL.REST.trx_dll", lpString2="System Volume Information") returned 1 [0046.317] lstrcmpiW (lpString1="WWINTL.REST.trx_dll", lpString2="Program Files") returned 1 [0046.317] lstrcmpiW (lpString1="WWINTL.REST.trx_dll", lpString2="Program Files (x86)") returned 1 [0046.317] wnsprintfW (in: pszDest=0x543228, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\WWINTL.REST.trx_dll") returned 71 [0046.317] StrStrIW (lpFirst="WWINTL.REST.trx_dll", lpSrch=".for") returned 0x0 [0046.317] lstrcmpW (lpString1="WWINTL.REST.trx_dll", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0046.317] lstrcmpW (lpString1="WWINTL.REST.trx_dll", lpString2="taridd") returned 1 [0046.317] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\WWINTL.REST.trx_dll", lpStr2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\3pRMMVYZl7L6YCH05Qf1aBB2Nvhrv3", nChar=122) returned -1 [0046.317] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\WWINTL.REST.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\3082\\wwintl.rest.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x210 [0046.318] GetTickCount () returned 0x1146088 [0046.318] GetTickCount () returned 0x1146088 [0046.318] GetTickCount () returned 0x1146088 [0046.318] GetTickCount () returned 0x1146088 [0046.318] CryptEncrypt (in: hKey=0x4ff5a8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d8ea70*, pdwDataLen=0x2d8eb20*=0x2c, dwBufLen=0x80 | out: pbData=0x2d8ea70*, pdwDataLen=0x2d8eb20*=0x80) returned 1 [0046.318] GetProcessHeap () returned 0x4e0000 [0046.318] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x2800) returned 0x5064d8 [0046.318] ReadFile (in: hFile=0x210, lpBuffer=0x5064d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2d8eb24, lpOverlapped=0x0 | out: lpBuffer=0x5064d8*, lpNumberOfBytesRead=0x2d8eb24*=0x2800, lpOverlapped=0x0) returned 1 [0046.320] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0046.320] WriteFile (in: hFile=0x210, lpBuffer=0x5064d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2d8eb24, lpOverlapped=0x0 | out: lpBuffer=0x5064d8*, lpNumberOfBytesWritten=0x2d8eb24*=0x2800, lpOverlapped=0x0) returned 1 [0046.320] GetProcessHeap () returned 0x4e0000 [0046.320] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x5064d8 | out: hHeap=0x4e0000) returned 1 [0046.320] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0046.320] WriteFile (in: hFile=0x210, lpBuffer=0x4ffe10*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x2d8eb24, lpOverlapped=0x0 | out: lpBuffer=0x4ffe10*, lpNumberOfBytesWritten=0x2d8eb24*=0x300, lpOverlapped=0x0) returned 1 [0046.324] WriteFile (in: hFile=0x210, lpBuffer=0x2d8ea70*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x2d8eb24, lpOverlapped=0x0 | out: lpBuffer=0x2d8ea70*, lpNumberOfBytesWritten=0x2d8eb24*=0x80, lpOverlapped=0x0) returned 1 [0046.324] WriteFile (in: hFile=0x210, lpBuffer=0x186230*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2d8eb24, lpOverlapped=0x0 | out: lpBuffer=0x186230*, lpNumberOfBytesWritten=0x2d8eb24*=0x4, lpOverlapped=0x0) returned 1 [0046.324] CloseHandle (hObject=0x210) returned 1 [0046.324] GetProcessHeap () returned 0x4e0000 [0046.324] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x400) returned 0x543630 [0046.324] wnsprintfW (in: pszDest=0x543630, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\WWINTL.REST.trx_dll_forv_{KNUJ5K}.for") returned 89 [0046.324] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\WWINTL.REST.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\3082\\wwintl.rest.trx_dll"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\WWINTL.REST.trx_dll_forv_{KNUJ5K}.for" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\3082\\wwintl.rest.trx_dll_forv_{knuj5k}.for")) returned 1 [0046.324] GetProcessHeap () returned 0x4e0000 [0046.324] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x543630 | out: hHeap=0x4e0000) returned 1 [0046.324] FindNextFileW (in: hFindFile=0x535ba0, lpFindFileData=0x2d8eb60 | out: lpFindFileData=0x2d8eb60*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x61df1900, ftCreationTime.dwHighDateTime=0x1cac820, ftLastAccessTime.dwLowDateTime=0xef0f07b0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0x61df1900, ftLastWriteTime.dwHighDateTime=0x1cac820, nFileSizeHigh=0x0, nFileSizeLow=0x23960, dwReserved0=0x2d8eba8, dwReserved1=0x771791c9, cFileName="XLINTL32.DLL.trx_dll", cAlternateFileName="XLINTL~1.TRX")) returned 1 [0046.324] lstrcmpiW (lpString1="XLINTL32.DLL.trx_dll", lpString2="Windows") returned 1 [0046.325] lstrcmpiW (lpString1="XLINTL32.DLL.trx_dll", lpString2="$Recycle.bin") returned 1 [0046.325] lstrcmpiW (lpString1="XLINTL32.DLL.trx_dll", lpString2="System Volume Information") returned 1 [0046.325] lstrcmpiW (lpString1="XLINTL32.DLL.trx_dll", lpString2="Program Files") returned 1 [0046.325] lstrcmpiW (lpString1="XLINTL32.DLL.trx_dll", lpString2="Program Files (x86)") returned 1 [0046.325] wnsprintfW (in: pszDest=0x543228, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\XLINTL32.DLL.trx_dll") returned 72 [0046.325] StrStrIW (lpFirst="XLINTL32.DLL.trx_dll", lpSrch=".for") returned 0x0 [0046.325] lstrcmpW (lpString1="XLINTL32.DLL.trx_dll", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0046.325] lstrcmpW (lpString1="XLINTL32.DLL.trx_dll", lpString2="taridd") returned 1 [0046.325] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\XLINTL32.DLL.trx_dll", lpStr2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\3pRMMVYZl7L6YCH05Qf1aBB2Nvhrv3", nChar=122) returned -1 [0046.325] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\XLINTL32.DLL.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\3082\\xlintl32.dll.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x210 [0046.325] GetTickCount () returned 0x1146088 [0046.325] GetTickCount () returned 0x1146088 [0046.325] GetTickCount () returned 0x1146088 [0046.325] GetTickCount () returned 0x1146088 [0046.325] CryptEncrypt (in: hKey=0x4ff5a8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d8ea70*, pdwDataLen=0x2d8eb20*=0x2c, dwBufLen=0x80 | out: pbData=0x2d8ea70*, pdwDataLen=0x2d8eb20*=0x80) returned 1 [0046.325] GetProcessHeap () returned 0x4e0000 [0046.325] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x2800) returned 0x5064d8 [0046.325] ReadFile (in: hFile=0x210, lpBuffer=0x5064d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2d8eb24, lpOverlapped=0x0 | out: lpBuffer=0x5064d8*, lpNumberOfBytesRead=0x2d8eb24*=0x2800, lpOverlapped=0x0) returned 1 [0046.327] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0046.327] WriteFile (in: hFile=0x210, lpBuffer=0x5064d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2d8eb24, lpOverlapped=0x0 | out: lpBuffer=0x5064d8*, lpNumberOfBytesWritten=0x2d8eb24*=0x2800, lpOverlapped=0x0) returned 1 [0046.327] GetProcessHeap () returned 0x4e0000 [0046.327] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x5064d8 | out: hHeap=0x4e0000) returned 1 [0046.327] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0046.327] WriteFile (in: hFile=0x210, lpBuffer=0x4ffe10*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x2d8eb24, lpOverlapped=0x0 | out: lpBuffer=0x4ffe10*, lpNumberOfBytesWritten=0x2d8eb24*=0x300, lpOverlapped=0x0) returned 1 [0046.329] WriteFile (in: hFile=0x210, lpBuffer=0x2d8ea70*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x2d8eb24, lpOverlapped=0x0 | out: lpBuffer=0x2d8ea70*, lpNumberOfBytesWritten=0x2d8eb24*=0x80, lpOverlapped=0x0) returned 1 [0046.329] WriteFile (in: hFile=0x210, lpBuffer=0x186230*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2d8eb24, lpOverlapped=0x0 | out: lpBuffer=0x186230*, lpNumberOfBytesWritten=0x2d8eb24*=0x4, lpOverlapped=0x0) returned 1 [0046.329] CloseHandle (hObject=0x210) returned 1 [0046.329] GetProcessHeap () returned 0x4e0000 [0046.329] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x400) returned 0x543630 [0046.329] wnsprintfW (in: pszDest=0x543630, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\XLINTL32.DLL.trx_dll_forv_{KNUJ5K}.for") returned 90 [0046.329] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\XLINTL32.DLL.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\3082\\xlintl32.dll.trx_dll"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\XLINTL32.DLL.trx_dll_forv_{KNUJ5K}.for" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\3082\\xlintl32.dll.trx_dll_forv_{knuj5k}.for")) returned 1 [0046.329] GetProcessHeap () returned 0x4e0000 [0046.329] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x543630 | out: hHeap=0x4e0000) returned 1 [0046.329] FindNextFileW (in: hFindFile=0x535ba0, lpFindFileData=0x2d8eb60 | out: lpFindFileData=0x2d8eb60*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x61df1900, ftCreationTime.dwHighDateTime=0x1cac820, ftLastAccessTime.dwLowDateTime=0xef116910, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0x61df1900, ftLastWriteTime.dwHighDateTime=0x1cac820, nFileSizeHigh=0x0, nFileSizeLow=0x126760, dwReserved0=0x2d8eba8, dwReserved1=0x771791c9, cFileName="XLINTL32.REST.trx_dll", cAlternateFileName="XLINTL~2.TRX")) returned 1 [0046.329] lstrcmpiW (lpString1="XLINTL32.REST.trx_dll", lpString2="Windows") returned 1 [0046.329] lstrcmpiW (lpString1="XLINTL32.REST.trx_dll", lpString2="$Recycle.bin") returned 1 [0046.329] lstrcmpiW (lpString1="XLINTL32.REST.trx_dll", lpString2="System Volume Information") returned 1 [0046.329] lstrcmpiW (lpString1="XLINTL32.REST.trx_dll", lpString2="Program Files") returned 1 [0046.329] lstrcmpiW (lpString1="XLINTL32.REST.trx_dll", lpString2="Program Files (x86)") returned 1 [0046.330] wnsprintfW (in: pszDest=0x543228, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\XLINTL32.REST.trx_dll") returned 73 [0046.330] StrStrIW (lpFirst="XLINTL32.REST.trx_dll", lpSrch=".for") returned 0x0 [0046.330] lstrcmpW (lpString1="XLINTL32.REST.trx_dll", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0046.330] lstrcmpW (lpString1="XLINTL32.REST.trx_dll", lpString2="taridd") returned 1 [0046.330] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\XLINTL32.REST.trx_dll", lpStr2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\3pRMMVYZl7L6YCH05Qf1aBB2Nvhrv3", nChar=122) returned -1 [0046.330] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\XLINTL32.REST.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\3082\\xlintl32.rest.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x210 [0046.330] GetTickCount () returned 0x1146088 [0046.330] GetTickCount () returned 0x1146088 [0046.330] GetTickCount () returned 0x1146088 [0046.330] GetTickCount () returned 0x1146088 [0046.330] CryptEncrypt (in: hKey=0x4ff5a8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d8ea70*, pdwDataLen=0x2d8eb20*=0x2c, dwBufLen=0x80 | out: pbData=0x2d8ea70*, pdwDataLen=0x2d8eb20*=0x80) returned 1 [0046.330] GetProcessHeap () returned 0x4e0000 [0046.330] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x2800) returned 0x5064d8 [0046.330] ReadFile (in: hFile=0x210, lpBuffer=0x5064d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2d8eb24, lpOverlapped=0x0 | out: lpBuffer=0x5064d8*, lpNumberOfBytesRead=0x2d8eb24*=0x2800, lpOverlapped=0x0) returned 1 [0046.331] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0046.332] WriteFile (in: hFile=0x210, lpBuffer=0x5064d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2d8eb24, lpOverlapped=0x0 | out: lpBuffer=0x5064d8*, lpNumberOfBytesWritten=0x2d8eb24*=0x2800, lpOverlapped=0x0) returned 1 [0046.332] GetProcessHeap () returned 0x4e0000 [0046.332] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x5064d8 | out: hHeap=0x4e0000) returned 1 [0046.332] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0046.332] WriteFile (in: hFile=0x210, lpBuffer=0x4ffe10*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x2d8eb24, lpOverlapped=0x0 | out: lpBuffer=0x4ffe10*, lpNumberOfBytesWritten=0x2d8eb24*=0x300, lpOverlapped=0x0) returned 1 [0046.336] WriteFile (in: hFile=0x210, lpBuffer=0x2d8ea70*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x2d8eb24, lpOverlapped=0x0 | out: lpBuffer=0x2d8ea70*, lpNumberOfBytesWritten=0x2d8eb24*=0x80, lpOverlapped=0x0) returned 1 [0046.336] WriteFile (in: hFile=0x210, lpBuffer=0x186230*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2d8eb24, lpOverlapped=0x0 | out: lpBuffer=0x186230*, lpNumberOfBytesWritten=0x2d8eb24*=0x4, lpOverlapped=0x0) returned 1 [0046.336] CloseHandle (hObject=0x210) returned 1 [0046.336] GetProcessHeap () returned 0x4e0000 [0046.336] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x400) returned 0x543630 [0046.336] wnsprintfW (in: pszDest=0x543630, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\XLINTL32.REST.trx_dll_forv_{KNUJ5K}.for") returned 91 [0046.336] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\XLINTL32.REST.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\3082\\xlintl32.rest.trx_dll"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\XLINTL32.REST.trx_dll_forv_{KNUJ5K}.for" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\3082\\xlintl32.rest.trx_dll_forv_{knuj5k}.for")) returned 1 [0046.337] GetProcessHeap () returned 0x4e0000 [0046.337] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x543630 | out: hHeap=0x4e0000) returned 1 [0046.337] FindNextFileW (in: hFindFile=0x535ba0, lpFindFileData=0x2d8eb60 | out: lpFindFileData=0x2d8eb60*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xd7e38000, ftCreationTime.dwHighDateTime=0x1cac820, ftLastAccessTime.dwLowDateTime=0xef116910, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xd7e38000, ftLastWriteTime.dwHighDateTime=0x1cac820, nFileSizeHigh=0x0, nFileSizeLow=0x3960, dwReserved0=0x2d8eba8, dwReserved1=0x771791c9, cFileName="XLSLICER.DLL.trx_dll", cAlternateFileName="XLSLIC~1.TRX")) returned 1 [0046.337] lstrcmpiW (lpString1="XLSLICER.DLL.trx_dll", lpString2="Windows") returned 1 [0046.337] lstrcmpiW (lpString1="XLSLICER.DLL.trx_dll", lpString2="$Recycle.bin") returned 1 [0046.337] lstrcmpiW (lpString1="XLSLICER.DLL.trx_dll", lpString2="System Volume Information") returned 1 [0046.337] lstrcmpiW (lpString1="XLSLICER.DLL.trx_dll", lpString2="Program Files") returned 1 [0046.337] lstrcmpiW (lpString1="XLSLICER.DLL.trx_dll", lpString2="Program Files (x86)") returned 1 [0046.337] wnsprintfW (in: pszDest=0x543228, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\XLSLICER.DLL.trx_dll") returned 72 [0046.337] StrStrIW (lpFirst="XLSLICER.DLL.trx_dll", lpSrch=".for") returned 0x0 [0046.337] lstrcmpW (lpString1="XLSLICER.DLL.trx_dll", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0046.337] lstrcmpW (lpString1="XLSLICER.DLL.trx_dll", lpString2="taridd") returned 1 [0046.337] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\XLSLICER.DLL.trx_dll", lpStr2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\3pRMMVYZl7L6YCH05Qf1aBB2Nvhrv3", nChar=122) returned -1 [0046.337] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\XLSLICER.DLL.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\3082\\xlslicer.dll.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x210 [0046.337] GetTickCount () returned 0x1146097 [0046.337] GetTickCount () returned 0x1146097 [0046.337] GetTickCount () returned 0x1146097 [0046.337] GetTickCount () returned 0x1146097 [0046.337] CryptEncrypt (in: hKey=0x4ff5a8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d8ea70*, pdwDataLen=0x2d8eb20*=0x2c, dwBufLen=0x80 | out: pbData=0x2d8ea70*, pdwDataLen=0x2d8eb20*=0x80) returned 1 [0046.337] GetProcessHeap () returned 0x4e0000 [0046.337] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x2800) returned 0x5064d8 [0046.337] ReadFile (in: hFile=0x210, lpBuffer=0x5064d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2d8eb24, lpOverlapped=0x0 | out: lpBuffer=0x5064d8*, lpNumberOfBytesRead=0x2d8eb24*=0x2800, lpOverlapped=0x0) returned 1 [0046.358] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0046.358] WriteFile (in: hFile=0x210, lpBuffer=0x5064d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2d8eb24, lpOverlapped=0x0 | out: lpBuffer=0x5064d8*, lpNumberOfBytesWritten=0x2d8eb24*=0x2800, lpOverlapped=0x0) returned 1 [0046.358] GetProcessHeap () returned 0x4e0000 [0046.358] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x5064d8 | out: hHeap=0x4e0000) returned 1 [0046.358] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0046.358] WriteFile (in: hFile=0x210, lpBuffer=0x4ffe10*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x2d8eb24, lpOverlapped=0x0 | out: lpBuffer=0x4ffe10*, lpNumberOfBytesWritten=0x2d8eb24*=0x300, lpOverlapped=0x0) returned 1 [0046.358] WriteFile (in: hFile=0x210, lpBuffer=0x2d8ea70*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x2d8eb24, lpOverlapped=0x0 | out: lpBuffer=0x2d8ea70*, lpNumberOfBytesWritten=0x2d8eb24*=0x80, lpOverlapped=0x0) returned 1 [0046.358] WriteFile (in: hFile=0x210, lpBuffer=0x186230*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2d8eb24, lpOverlapped=0x0 | out: lpBuffer=0x186230*, lpNumberOfBytesWritten=0x2d8eb24*=0x4, lpOverlapped=0x0) returned 1 [0046.358] CloseHandle (hObject=0x210) returned 1 [0046.359] GetProcessHeap () returned 0x4e0000 [0046.359] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x400) returned 0x543630 [0046.359] wnsprintfW (in: pszDest=0x543630, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\XLSLICER.DLL.trx_dll_forv_{KNUJ5K}.for") returned 90 [0046.359] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\XLSLICER.DLL.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\3082\\xlslicer.dll.trx_dll"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\XLSLICER.DLL.trx_dll_forv_{KNUJ5K}.for" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\3082\\xlslicer.dll.trx_dll_forv_{knuj5k}.for")) returned 1 [0046.359] GetProcessHeap () returned 0x4e0000 [0046.359] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x543630 | out: hHeap=0x4e0000) returned 1 [0046.359] FindNextFileW (in: hFindFile=0x535ba0, lpFindFileData=0x2d8eb60 | out: lpFindFileData=0x2d8eb60*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xd7e38000, ftCreationTime.dwHighDateTime=0x1cac820, ftLastAccessTime.dwLowDateTime=0xef116910, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xd7e38000, ftLastWriteTime.dwHighDateTime=0x1cac820, nFileSizeHigh=0x0, nFileSizeLow=0x3960, dwReserved0=0x2d8eba8, dwReserved1=0x771791c9, cFileName="XLSLICER.DLL.trx_dll", cAlternateFileName="XLSLIC~1.TRX")) returned 0 [0046.359] FindClose (in: hFindFile=0x535ba0 | out: hFindFile=0x535ba0) returned 1 [0046.359] wnsprintfW (in: pszDest=0x543228, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 83 [0046.359] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\3082\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x204 [0046.360] WriteFile (in: hFile=0x204, lpBuffer=0x186440*, nNumberOfBytesToWrite=0x2b0, lpNumberOfBytesWritten=0x2d8eb2c, lpOverlapped=0x0 | out: lpBuffer=0x186440*, lpNumberOfBytesWritten=0x2d8eb2c*=0x2b0, lpOverlapped=0x0) returned 1 [0046.360] CloseHandle (hObject=0x204) returned 1 [0046.360] GetProcessHeap () returned 0x4e0000 [0046.360] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x543228 | out: hHeap=0x4e0000) returned 1 [0046.360] FindNextFileW (in: hFindFile=0x535b60, lpFindFileData=0x2d8ede8 | out: lpFindFileData=0x2d8ede8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xeed38550, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xef116910, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xef116910, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5306c8, dwReserved1=0x0, cFileName="3082", cAlternateFileName="")) returned 0 [0046.361] FindClose (in: hFindFile=0x535b60 | out: hFindFile=0x535b60) returned 1 [0046.361] wnsprintfW (in: pszDest=0x5306d0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 78 [0046.361] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x208 [0046.361] WriteFile (in: hFile=0x208, lpBuffer=0x186440*, nNumberOfBytesToWrite=0x2b0, lpNumberOfBytesWritten=0x2d8edb4, lpOverlapped=0x0 | out: lpBuffer=0x186440*, lpNumberOfBytesWritten=0x2d8edb4*=0x2b0, lpOverlapped=0x0) returned 1 [0046.362] CloseHandle (hObject=0x208) returned 1 [0046.362] GetProcessHeap () returned 0x4e0000 [0046.362] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x5306d0 | out: hHeap=0x4e0000) returned 1 [0046.362] FindNextFileW (in: hFindFile=0x535b20, lpFindFileData=0x2d8f070 | out: lpFindFileData=0x2d8f070*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xeed38550, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xeed38550, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xeed38550, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="UICaptions", cAlternateFileName="UICAPT~1")) returned 0 [0046.362] FindClose (in: hFindFile=0x535b20 | out: hFindFile=0x535b20) returned 1 [0046.362] wnsprintfW (in: pszDest=0x542af8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 67 [0046.362] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\microsoft\\office\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x150 [0046.363] WriteFile (in: hFile=0x150, lpBuffer=0x186440*, nNumberOfBytesToWrite=0x2b0, lpNumberOfBytesWritten=0x2d8f03c, lpOverlapped=0x0 | out: lpBuffer=0x186440*, lpNumberOfBytesWritten=0x2d8f03c*=0x2b0, lpOverlapped=0x0) returned 1 [0046.363] CloseHandle (hObject=0x150) returned 1 [0046.364] GetProcessHeap () returned 0x4e0000 [0046.364] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x542af8 | out: hHeap=0x4e0000) returned 1 [0046.364] FindNextFileW (in: hFindFile=0x535ae0, lpFindFileData=0x2d8f2f8 | out: lpFindFileData=0x2d8f2f8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x50ea0e30, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0xfa44d4a0, ftLastAccessTime.dwHighDateTime=0x1d305fd, ftLastWriteTime.dwLowDateTime=0xfa44d4a0, ftLastWriteTime.dwHighDateTime=0x1d305fd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="OfficeSoftwareProtectionPlatform", cAlternateFileName="OFFICE~1")) returned 1 [0046.364] lstrcmpiW (lpString1="OfficeSoftwareProtectionPlatform", lpString2="Windows") returned -1 [0046.364] lstrcmpiW (lpString1="OfficeSoftwareProtectionPlatform", lpString2="$Recycle.bin") returned 1 [0046.364] lstrcmpiW (lpString1="OfficeSoftwareProtectionPlatform", lpString2="System Volume Information") returned -1 [0046.364] lstrcmpiW (lpString1="OfficeSoftwareProtectionPlatform", lpString2="Program Files") returned -1 [0046.364] lstrcmpiW (lpString1="OfficeSoftwareProtectionPlatform", lpString2="Program Files (x86)") returned -1 [0046.364] wnsprintfW (in: pszDest=0x511b40, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OfficeSoftwareProtectionPlatform") returned 61 [0046.364] lstrcmpW (lpString1="OfficeSoftwareProtectionPlatform", lpString2=".") returned 1 [0046.364] lstrcmpW (lpString1="OfficeSoftwareProtectionPlatform", lpString2="..") returned 1 [0046.364] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\OfficeSoftwareProtectionPlatform", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0046.364] GetProcessHeap () returned 0x4e0000 [0046.364] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x400) returned 0x542af8 [0046.364] wnsprintfW (in: pszDest=0x542af8, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OfficeSoftwareProtectionPlatform\\*") returned 63 [0046.364] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OfficeSoftwareProtectionPlatform\\*", lpFindFileData=0x2d8f070 | out: lpFindFileData=0x2d8f070*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x50ea0e30, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0xfa44d4a0, ftLastAccessTime.dwHighDateTime=0x1d305fd, ftLastWriteTime.dwLowDateTime=0xfa44d4a0, ftLastWriteTime.dwHighDateTime=0x1d305fd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x535b20 [0046.364] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0046.364] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0046.364] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0046.364] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0046.364] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0046.365] wnsprintfW (in: pszDest=0x542af8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OfficeSoftwareProtectionPlatform\\.") returned 63 [0046.365] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0046.365] FindNextFileW (in: hFindFile=0x535b20, lpFindFileData=0x2d8f070 | out: lpFindFileData=0x2d8f070*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x50ea0e30, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0xfa44d4a0, ftLastAccessTime.dwHighDateTime=0x1d305fd, ftLastWriteTime.dwLowDateTime=0xfa44d4a0, ftLastWriteTime.dwHighDateTime=0x1d305fd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0046.365] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0046.365] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0046.365] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0046.365] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0046.365] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0046.365] wnsprintfW (in: pszDest=0x542af8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OfficeSoftwareProtectionPlatform\\..") returned 64 [0046.365] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0046.365] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0046.365] FindNextFileW (in: hFindFile=0x535b20, lpFindFileData=0x2d8f070 | out: lpFindFileData=0x2d8f070*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8ab1ae70, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x9de525d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x9de525d0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Cache", cAlternateFileName="")) returned 1 [0046.365] lstrcmpiW (lpString1="Cache", lpString2="Windows") returned -1 [0046.365] lstrcmpiW (lpString1="Cache", lpString2="$Recycle.bin") returned 1 [0046.365] lstrcmpiW (lpString1="Cache", lpString2="System Volume Information") returned -1 [0046.365] lstrcmpiW (lpString1="Cache", lpString2="Program Files") returned -1 [0046.365] lstrcmpiW (lpString1="Cache", lpString2="Program Files (x86)") returned -1 [0046.365] wnsprintfW (in: pszDest=0x542af8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OfficeSoftwareProtectionPlatform\\Cache") returned 67 [0046.365] lstrcmpW (lpString1="Cache", lpString2=".") returned 1 [0046.365] lstrcmpW (lpString1="Cache", lpString2="..") returned 1 [0046.365] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\OfficeSoftwareProtectionPlatform\\Cache", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0046.365] GetProcessHeap () returned 0x4e0000 [0046.365] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x400) returned 0x5306d0 [0046.365] wnsprintfW (in: pszDest=0x5306d0, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OfficeSoftwareProtectionPlatform\\Cache\\*") returned 69 [0046.365] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OfficeSoftwareProtectionPlatform\\Cache\\*", lpFindFileData=0x2d8ede8 | out: lpFindFileData=0x2d8ede8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8ab1ae70, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x9de525d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x9de525d0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5306c8, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x535b60 [0046.365] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0046.365] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0046.365] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0046.365] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0046.365] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0046.366] wnsprintfW (in: pszDest=0x5306d0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OfficeSoftwareProtectionPlatform\\Cache\\.") returned 69 [0046.366] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0046.366] FindNextFileW (in: hFindFile=0x535b60, lpFindFileData=0x2d8ede8 | out: lpFindFileData=0x2d8ede8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8ab1ae70, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x9de525d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x9de525d0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5306c8, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0046.366] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0046.366] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0046.366] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0046.366] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0046.366] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0046.366] wnsprintfW (in: pszDest=0x5306d0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OfficeSoftwareProtectionPlatform\\Cache\\..") returned 70 [0046.366] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0046.366] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0046.366] FindNextFileW (in: hFindFile=0x535b60, lpFindFileData=0x2d8ede8 | out: lpFindFileData=0x2d8ede8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x9de525d0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x9de525d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x2caa5f40, ftLastWriteTime.dwHighDateTime=0x1d4d597, nFileSizeHigh=0x0, nFileSizeLow=0x40270, dwReserved0=0x5306c8, dwReserved1=0x0, cFileName="cache.dat", cAlternateFileName="")) returned 1 [0046.366] lstrcmpiW (lpString1="cache.dat", lpString2="Windows") returned -1 [0046.366] lstrcmpiW (lpString1="cache.dat", lpString2="$Recycle.bin") returned 1 [0046.366] lstrcmpiW (lpString1="cache.dat", lpString2="System Volume Information") returned -1 [0046.366] lstrcmpiW (lpString1="cache.dat", lpString2="Program Files") returned -1 [0046.366] lstrcmpiW (lpString1="cache.dat", lpString2="Program Files (x86)") returned -1 [0046.366] wnsprintfW (in: pszDest=0x5306d0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OfficeSoftwareProtectionPlatform\\Cache\\cache.dat") returned 77 [0046.366] StrStrIW (lpFirst="cache.dat", lpSrch=".for") returned 0x0 [0046.366] lstrcmpW (lpString1="cache.dat", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0046.366] lstrcmpW (lpString1="cache.dat", lpString2="taridd") returned -1 [0046.366] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\OfficeSoftwareProtectionPlatform\\Cache\\cache.dat", lpStr2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\3pRMMVYZl7L6YCH05Qf1aBB2Nvhrv3", nChar=122) returned -1 [0046.366] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OfficeSoftwareProtectionPlatform\\Cache\\cache.dat" (normalized: "c:\\programdata\\microsoft\\officesoftwareprotectionplatform\\cache\\cache.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x204 [0046.366] GetTickCount () returned 0x11460b7 [0046.366] GetTickCount () returned 0x11460b7 [0046.366] GetTickCount () returned 0x11460b7 [0046.366] GetTickCount () returned 0x11460b7 [0046.367] CryptEncrypt (in: hKey=0x4ff5a8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d8ecf8*, pdwDataLen=0x2d8eda8*=0x2c, dwBufLen=0x80 | out: pbData=0x2d8ecf8*, pdwDataLen=0x2d8eda8*=0x80) returned 1 [0046.367] GetProcessHeap () returned 0x4e0000 [0046.367] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x2800) returned 0x5064d8 [0046.367] ReadFile (in: hFile=0x204, lpBuffer=0x5064d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2d8edac, lpOverlapped=0x0 | out: lpBuffer=0x5064d8*, lpNumberOfBytesRead=0x2d8edac*=0x2800, lpOverlapped=0x0) returned 1 [0046.429] SetFilePointerEx (in: hFile=0x204, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0046.432] WriteFile (in: hFile=0x204, lpBuffer=0x5064d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2d8edac, lpOverlapped=0x0 | out: lpBuffer=0x5064d8*, lpNumberOfBytesWritten=0x2d8edac*=0x2800, lpOverlapped=0x0) returned 1 [0046.436] GetProcessHeap () returned 0x4e0000 [0046.437] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x5064d8 | out: hHeap=0x4e0000) returned 1 [0046.438] SetFilePointerEx (in: hFile=0x204, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0046.439] WriteFile (in: hFile=0x204, lpBuffer=0x4ffe10*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x2d8edac, lpOverlapped=0x0 | out: lpBuffer=0x4ffe10*, lpNumberOfBytesWritten=0x2d8edac*=0x300, lpOverlapped=0x0) returned 1 [0046.458] WriteFile (in: hFile=0x204, lpBuffer=0x2d8ecf8*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x2d8edac, lpOverlapped=0x0 | out: lpBuffer=0x2d8ecf8*, lpNumberOfBytesWritten=0x2d8edac*=0x80, lpOverlapped=0x0) returned 1 [0046.459] WriteFile (in: hFile=0x204, lpBuffer=0x186230*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2d8edac, lpOverlapped=0x0 | out: lpBuffer=0x186230*, lpNumberOfBytesWritten=0x2d8edac*=0x4, lpOverlapped=0x0) returned 1 [0046.461] CloseHandle (hObject=0x204) returned 1 [0046.464] GetProcessHeap () returned 0x4e0000 [0046.464] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x400) returned 0x543228 [0046.465] wnsprintfW (in: pszDest=0x543228, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OfficeSoftwareProtectionPlatform\\Cache\\cache.dat_forv_{KNUJ5K}.for") returned 95 [0046.466] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OfficeSoftwareProtectionPlatform\\Cache\\cache.dat" (normalized: "c:\\programdata\\microsoft\\officesoftwareprotectionplatform\\cache\\cache.dat"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OfficeSoftwareProtectionPlatform\\Cache\\cache.dat_forv_{KNUJ5K}.for" (normalized: "c:\\programdata\\microsoft\\officesoftwareprotectionplatform\\cache\\cache.dat_forv_{knuj5k}.for")) returned 1 [0046.476] GetProcessHeap () returned 0x4e0000 [0046.476] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x543228 | out: hHeap=0x4e0000) returned 1 [0046.476] FindNextFileW (in: hFindFile=0x535b60, lpFindFileData=0x2d8ede8 | out: lpFindFileData=0x2d8ede8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x9de525d0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x9de525d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x2caa5f40, ftLastWriteTime.dwHighDateTime=0x1d4d597, nFileSizeHigh=0x0, nFileSizeLow=0x40270, dwReserved0=0x5306c8, dwReserved1=0x0, cFileName="cache.dat", cAlternateFileName="")) returned 0 [0046.478] FindClose (in: hFindFile=0x535b60 | out: hFindFile=0x535b60) returned 1 [0046.479] wnsprintfW (in: pszDest=0x5306d0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OfficeSoftwareProtectionPlatform\\Cache\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 99 [0046.480] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OfficeSoftwareProtectionPlatform\\Cache\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\microsoft\\officesoftwareprotectionplatform\\cache\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x208 [0046.485] WriteFile (in: hFile=0x208, lpBuffer=0x186440*, nNumberOfBytesToWrite=0x2b0, lpNumberOfBytesWritten=0x2d8edb4, lpOverlapped=0x0 | out: lpBuffer=0x186440*, lpNumberOfBytesWritten=0x2d8edb4*=0x2b0, lpOverlapped=0x0) returned 1 [0046.506] CloseHandle (hObject=0x208) returned 1 [0046.509] GetProcessHeap () returned 0x4e0000 [0046.510] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x5306d0 | out: hHeap=0x4e0000) returned 1 [0046.511] FindNextFileW (in: hFindFile=0x535b20, lpFindFileData=0x2d8f070 | out: lpFindFileData=0x2d8f070*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x8c015050, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0xfa44d4a0, ftLastAccessTime.dwHighDateTime=0x1d305fd, ftLastWriteTime.dwLowDateTime=0x63c5e40, ftLastWriteTime.dwHighDateTime=0x1d305fe, nFileSizeHigh=0x0, nFileSizeLow=0x469bd5, dwReserved0=0x0, dwReserved1=0x0, cFileName="tokens.dat", cAlternateFileName="")) returned 1 [0046.511] lstrcmpiW (lpString1="tokens.dat", lpString2="Windows") returned -1 [0046.512] lstrcmpiW (lpString1="tokens.dat", lpString2="$Recycle.bin") returned 1 [0046.513] lstrcmpiW (lpString1="tokens.dat", lpString2="System Volume Information") returned 1 [0046.513] lstrcmpiW (lpString1="tokens.dat", lpString2="Program Files") returned 1 [0046.514] lstrcmpiW (lpString1="tokens.dat", lpString2="Program Files (x86)") returned 1 [0046.516] wnsprintfW (in: pszDest=0x542af8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OfficeSoftwareProtectionPlatform\\tokens.dat") returned 72 [0046.518] StrStrIW (lpFirst="tokens.dat", lpSrch=".for") returned 0x0 [0046.518] lstrcmpW (lpString1="tokens.dat", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0046.520] lstrcmpW (lpString1="tokens.dat", lpString2="taridd") returned 1 [0046.521] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\OfficeSoftwareProtectionPlatform\\tokens.dat", lpStr2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\3pRMMVYZl7L6YCH05Qf1aBB2Nvhrv3", nChar=122) returned -1 [0046.521] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OfficeSoftwareProtectionPlatform\\tokens.dat" (normalized: "c:\\programdata\\microsoft\\officesoftwareprotectionplatform\\tokens.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x208 [0046.570] GetTickCount () returned 0x1146181 [0046.571] GetTickCount () returned 0x1146181 [0046.572] GetTickCount () returned 0x1146181 [0046.573] GetTickCount () returned 0x1146181 [0046.576] CryptEncrypt (in: hKey=0x4ff5a8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d8ef80*, pdwDataLen=0x2d8f030*=0x2c, dwBufLen=0x80 | out: pbData=0x2d8ef80*, pdwDataLen=0x2d8f030*=0x80) returned 1 [0046.584] GetProcessHeap () returned 0x4e0000 [0046.584] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x2800) returned 0x5064d8 [0046.587] ReadFile (in: hFile=0x208, lpBuffer=0x5064d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x5064d8*, lpNumberOfBytesRead=0x2d8f034*=0x2800, lpOverlapped=0x0) returned 1 [0046.634] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0046.636] WriteFile (in: hFile=0x208, lpBuffer=0x5064d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x5064d8*, lpNumberOfBytesWritten=0x2d8f034*=0x2800, lpOverlapped=0x0) returned 1 [0046.641] GetProcessHeap () returned 0x4e0000 [0046.641] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x5064d8 | out: hHeap=0x4e0000) returned 1 [0046.642] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0046.643] WriteFile (in: hFile=0x208, lpBuffer=0x4ffe10*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x4ffe10*, lpNumberOfBytesWritten=0x2d8f034*=0x300, lpOverlapped=0x0) returned 1 [0046.658] WriteFile (in: hFile=0x208, lpBuffer=0x2d8ef80*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x2d8ef80*, lpNumberOfBytesWritten=0x2d8f034*=0x80, lpOverlapped=0x0) returned 1 [0046.658] WriteFile (in: hFile=0x208, lpBuffer=0x186230*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x186230*, lpNumberOfBytesWritten=0x2d8f034*=0x4, lpOverlapped=0x0) returned 1 [0046.658] CloseHandle (hObject=0x208) returned 1 [0046.659] GetProcessHeap () returned 0x4e0000 [0046.659] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x400) returned 0x5306d0 [0046.659] wnsprintfW (in: pszDest=0x5306d0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OfficeSoftwareProtectionPlatform\\tokens.dat_forv_{KNUJ5K}.for") returned 90 [0046.659] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OfficeSoftwareProtectionPlatform\\tokens.dat" (normalized: "c:\\programdata\\microsoft\\officesoftwareprotectionplatform\\tokens.dat"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OfficeSoftwareProtectionPlatform\\tokens.dat_forv_{KNUJ5K}.for" (normalized: "c:\\programdata\\microsoft\\officesoftwareprotectionplatform\\tokens.dat_forv_{knuj5k}.for")) returned 1 [0046.660] GetProcessHeap () returned 0x4e0000 [0046.660] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x5306d0 | out: hHeap=0x4e0000) returned 1 [0046.660] FindNextFileW (in: hFindFile=0x535b20, lpFindFileData=0x2d8f070 | out: lpFindFileData=0x2d8f070*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x8c015050, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0xfa44d4a0, ftLastAccessTime.dwHighDateTime=0x1d305fd, ftLastWriteTime.dwLowDateTime=0x63c5e40, ftLastWriteTime.dwHighDateTime=0x1d305fe, nFileSizeHigh=0x0, nFileSizeLow=0x469bd5, dwReserved0=0x0, dwReserved1=0x0, cFileName="tokens.dat", cAlternateFileName="")) returned 0 [0046.660] FindClose (in: hFindFile=0x535b20 | out: hFindFile=0x535b20) returned 1 [0046.660] wnsprintfW (in: pszDest=0x542af8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OfficeSoftwareProtectionPlatform\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 93 [0046.660] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OfficeSoftwareProtectionPlatform\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\microsoft\\officesoftwareprotectionplatform\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x150 [0046.662] WriteFile (in: hFile=0x150, lpBuffer=0x186440*, nNumberOfBytesToWrite=0x2b0, lpNumberOfBytesWritten=0x2d8f03c, lpOverlapped=0x0 | out: lpBuffer=0x186440*, lpNumberOfBytesWritten=0x2d8f03c*=0x2b0, lpOverlapped=0x0) returned 1 [0046.663] CloseHandle (hObject=0x150) returned 1 [0046.663] GetProcessHeap () returned 0x4e0000 [0046.663] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x542af8 | out: hHeap=0x4e0000) returned 1 [0046.663] FindNextFileW (in: hFindFile=0x535ae0, lpFindFileData=0x2d8f2f8 | out: lpFindFileData=0x2d8f2f8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfd9b5b52, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd9b5b52, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd9b5b52, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="RAC", cAlternateFileName="")) returned 1 [0046.663] lstrcmpiW (lpString1="RAC", lpString2="Windows") returned -1 [0046.663] lstrcmpiW (lpString1="RAC", lpString2="$Recycle.bin") returned 1 [0046.664] lstrcmpiW (lpString1="RAC", lpString2="System Volume Information") returned -1 [0046.664] lstrcmpiW (lpString1="RAC", lpString2="Program Files") returned 1 [0046.664] lstrcmpiW (lpString1="RAC", lpString2="Program Files (x86)") returned 1 [0046.664] wnsprintfW (in: pszDest=0x511b40, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\RAC") returned 32 [0046.664] lstrcmpW (lpString1="RAC", lpString2=".") returned 1 [0046.664] lstrcmpW (lpString1="RAC", lpString2="..") returned 1 [0046.664] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\RAC", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0046.664] GetProcessHeap () returned 0x4e0000 [0046.664] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x400) returned 0x542af8 [0046.664] wnsprintfW (in: pszDest=0x542af8, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\*") returned 34 [0046.664] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\*", lpFindFileData=0x2d8f070 | out: lpFindFileData=0x2d8f070*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfd9b5b52, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd9b5b52, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd9b5b52, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x535b20 [0046.664] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0046.664] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0046.664] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0046.664] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0046.664] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0046.664] wnsprintfW (in: pszDest=0x542af8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\.") returned 34 [0046.664] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0046.664] FindNextFileW (in: hFindFile=0x535b20, lpFindFileData=0x2d8f070 | out: lpFindFileData=0x2d8f070*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfd9b5b52, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd9b5b52, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd9b5b52, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0046.664] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0046.664] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0046.664] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0046.664] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0046.664] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0046.664] wnsprintfW (in: pszDest=0x542af8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\..") returned 35 [0046.664] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0046.664] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0046.664] FindNextFileW (in: hFindFile=0x535b20, lpFindFileData=0x2d8f070 | out: lpFindFileData=0x2d8f070*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfd9b5b52, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd9b5b52, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xd6e33921, ftLastWriteTime.dwHighDateTime=0x1ca042b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Outbound", cAlternateFileName="")) returned 1 [0046.664] lstrcmpiW (lpString1="Outbound", lpString2="Windows") returned -1 [0046.664] lstrcmpiW (lpString1="Outbound", lpString2="$Recycle.bin") returned 1 [0046.665] lstrcmpiW (lpString1="Outbound", lpString2="System Volume Information") returned -1 [0046.665] lstrcmpiW (lpString1="Outbound", lpString2="Program Files") returned -1 [0046.665] lstrcmpiW (lpString1="Outbound", lpString2="Program Files (x86)") returned -1 [0046.665] wnsprintfW (in: pszDest=0x542af8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\Outbound") returned 41 [0046.665] lstrcmpW (lpString1="Outbound", lpString2=".") returned 1 [0046.665] lstrcmpW (lpString1="Outbound", lpString2="..") returned 1 [0046.665] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\Outbound", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0046.665] GetProcessHeap () returned 0x4e0000 [0046.665] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x400) returned 0x5306d0 [0046.665] wnsprintfW (in: pszDest=0x5306d0, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\Outbound\\*") returned 43 [0046.665] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\Outbound\\*", lpFindFileData=0x2d8ede8 | out: lpFindFileData=0x2d8ede8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfd9b5b52, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd9b5b52, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xd6e33921, ftLastWriteTime.dwHighDateTime=0x1ca042b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5306c8, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x535b60 [0046.665] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0046.665] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0046.665] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0046.665] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0046.665] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0046.665] wnsprintfW (in: pszDest=0x5306d0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\Outbound\\.") returned 43 [0046.665] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0046.665] FindNextFileW (in: hFindFile=0x535b60, lpFindFileData=0x2d8ede8 | out: lpFindFileData=0x2d8ede8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfd9b5b52, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd9b5b52, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xd6e33921, ftLastWriteTime.dwHighDateTime=0x1ca042b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5306c8, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0046.665] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0046.665] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0046.665] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0046.665] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0046.665] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0046.665] wnsprintfW (in: pszDest=0x5306d0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\Outbound\\..") returned 44 [0046.665] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0046.665] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0046.665] FindNextFileW (in: hFindFile=0x535b60, lpFindFileData=0x2d8ede8 | out: lpFindFileData=0x2d8ede8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfd9b5b52, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd9b5b52, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xd6e33921, ftLastWriteTime.dwHighDateTime=0x1ca042b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5306c8, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0 [0046.666] FindClose (in: hFindFile=0x535b60 | out: hFindFile=0x535b60) returned 1 [0046.666] wnsprintfW (in: pszDest=0x5306d0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\Outbound\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 73 [0046.666] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\Outbound\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\microsoft\\rac\\outbound\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x208 [0046.666] WriteFile (in: hFile=0x208, lpBuffer=0x186440*, nNumberOfBytesToWrite=0x2b0, lpNumberOfBytesWritten=0x2d8edb4, lpOverlapped=0x0 | out: lpBuffer=0x186440*, lpNumberOfBytesWritten=0x2d8edb4*=0x2b0, lpOverlapped=0x0) returned 1 [0046.667] CloseHandle (hObject=0x208) returned 1 [0046.667] GetProcessHeap () returned 0x4e0000 [0046.667] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x5306d0 | out: hHeap=0x4e0000) returned 1 [0046.667] FindNextFileW (in: hFindFile=0x535b20, lpFindFileData=0x2d8f070 | out: lpFindFileData=0x2d8f070*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfd9b5b52, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x2c82dc10, ftLastAccessTime.dwHighDateTime=0x1d593ef, ftLastWriteTime.dwLowDateTime=0x2c82dc10, ftLastWriteTime.dwHighDateTime=0x1d593ef, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="PublishedData", cAlternateFileName="PUBLIS~1")) returned 1 [0046.667] lstrcmpiW (lpString1="PublishedData", lpString2="Windows") returned -1 [0046.667] lstrcmpiW (lpString1="PublishedData", lpString2="$Recycle.bin") returned 1 [0046.667] lstrcmpiW (lpString1="PublishedData", lpString2="System Volume Information") returned -1 [0046.667] lstrcmpiW (lpString1="PublishedData", lpString2="Program Files") returned 1 [0046.667] lstrcmpiW (lpString1="PublishedData", lpString2="Program Files (x86)") returned 1 [0046.667] wnsprintfW (in: pszDest=0x542af8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\PublishedData") returned 46 [0046.667] lstrcmpW (lpString1="PublishedData", lpString2=".") returned 1 [0046.667] lstrcmpW (lpString1="PublishedData", lpString2="..") returned 1 [0046.667] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\PublishedData", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0046.667] GetProcessHeap () returned 0x4e0000 [0046.667] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x400) returned 0x5306d0 [0046.667] wnsprintfW (in: pszDest=0x5306d0, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\PublishedData\\*") returned 48 [0046.667] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\PublishedData\\*", lpFindFileData=0x2d8ede8 | out: lpFindFileData=0x2d8ede8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfd9b5b52, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x2c82dc10, ftLastAccessTime.dwHighDateTime=0x1d593ef, ftLastWriteTime.dwLowDateTime=0x2c82dc10, ftLastWriteTime.dwHighDateTime=0x1d593ef, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5306c8, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x535b60 [0046.668] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0046.668] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0046.668] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0046.668] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0046.668] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0046.668] wnsprintfW (in: pszDest=0x5306d0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\PublishedData\\.") returned 48 [0046.668] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0046.668] FindNextFileW (in: hFindFile=0x535b60, lpFindFileData=0x2d8ede8 | out: lpFindFileData=0x2d8ede8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfd9b5b52, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x2c82dc10, ftLastAccessTime.dwHighDateTime=0x1d593ef, ftLastWriteTime.dwLowDateTime=0x2c82dc10, ftLastWriteTime.dwHighDateTime=0x1d593ef, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5306c8, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0046.668] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0046.668] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0046.668] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0046.668] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0046.668] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0046.668] wnsprintfW (in: pszDest=0x5306d0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\PublishedData\\..") returned 49 [0046.668] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0046.668] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0046.668] FindNextFileW (in: hFindFile=0x535b60, lpFindFileData=0x2d8ede8 | out: lpFindFileData=0x2d8ede8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xece09220, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0x2c82dc10, ftLastAccessTime.dwHighDateTime=0x1d593ef, ftLastWriteTime.dwLowDateTime=0x2c879ed0, ftLastWriteTime.dwHighDateTime=0x1d593ef, nFileSizeHigh=0x0, nFileSizeLow=0x25000, dwReserved0=0x5306c8, dwReserved1=0x0, cFileName="RacWmiDatabase.sdf", cAlternateFileName="RACWMI~1.SDF")) returned 1 [0046.668] lstrcmpiW (lpString1="RacWmiDatabase.sdf", lpString2="Windows") returned -1 [0046.668] lstrcmpiW (lpString1="RacWmiDatabase.sdf", lpString2="$Recycle.bin") returned 1 [0046.668] lstrcmpiW (lpString1="RacWmiDatabase.sdf", lpString2="System Volume Information") returned -1 [0046.668] lstrcmpiW (lpString1="RacWmiDatabase.sdf", lpString2="Program Files") returned 1 [0046.668] lstrcmpiW (lpString1="RacWmiDatabase.sdf", lpString2="Program Files (x86)") returned 1 [0046.668] wnsprintfW (in: pszDest=0x5306d0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\PublishedData\\RacWmiDatabase.sdf") returned 65 [0046.668] StrStrIW (lpFirst="RacWmiDatabase.sdf", lpSrch=".for") returned 0x0 [0046.668] lstrcmpW (lpString1="RacWmiDatabase.sdf", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0046.668] lstrcmpW (lpString1="RacWmiDatabase.sdf", lpString2="taridd") returned -1 [0046.668] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\PublishedData\\RacWmiDatabase.sdf", lpStr2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\3pRMMVYZl7L6YCH05Qf1aBB2Nvhrv3", nChar=122) returned -1 [0046.668] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\PublishedData\\RacWmiDatabase.sdf" (normalized: "c:\\programdata\\microsoft\\rac\\publisheddata\\racwmidatabase.sdf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0046.669] FindNextFileW (in: hFindFile=0x535b60, lpFindFileData=0x2d8ede8 | out: lpFindFileData=0x2d8ede8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xece09220, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0x2c82dc10, ftLastAccessTime.dwHighDateTime=0x1d593ef, ftLastWriteTime.dwLowDateTime=0x2c879ed0, ftLastWriteTime.dwHighDateTime=0x1d593ef, nFileSizeHigh=0x0, nFileSizeLow=0x25000, dwReserved0=0x5306c8, dwReserved1=0x0, cFileName="RacWmiDatabase.sdf", cAlternateFileName="RACWMI~1.SDF")) returned 0 [0046.669] FindClose (in: hFindFile=0x535b60 | out: hFindFile=0x535b60) returned 1 [0046.669] wnsprintfW (in: pszDest=0x5306d0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\PublishedData\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 78 [0046.669] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\PublishedData\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\microsoft\\rac\\publisheddata\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x208 [0046.669] WriteFile (in: hFile=0x208, lpBuffer=0x186440*, nNumberOfBytesToWrite=0x2b0, lpNumberOfBytesWritten=0x2d8edb4, lpOverlapped=0x0 | out: lpBuffer=0x186440*, lpNumberOfBytesWritten=0x2d8edb4*=0x2b0, lpOverlapped=0x0) returned 1 [0046.670] CloseHandle (hObject=0x208) returned 1 [0046.672] GetProcessHeap () returned 0x4e0000 [0046.672] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x5306d0 | out: hHeap=0x4e0000) returned 1 [0046.672] FindNextFileW (in: hFindFile=0x535b20, lpFindFileData=0x2d8f070 | out: lpFindFileData=0x2d8f070*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfd9b5b52, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x2c82dc10, ftLastAccessTime.dwHighDateTime=0x1d593ef, ftLastWriteTime.dwLowDateTime=0x2c82dc10, ftLastWriteTime.dwHighDateTime=0x1d593ef, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="StateData", cAlternateFileName="STATED~1")) returned 1 [0046.672] lstrcmpiW (lpString1="StateData", lpString2="Windows") returned -1 [0046.672] lstrcmpiW (lpString1="StateData", lpString2="$Recycle.bin") returned 1 [0046.672] lstrcmpiW (lpString1="StateData", lpString2="System Volume Information") returned -1 [0046.672] lstrcmpiW (lpString1="StateData", lpString2="Program Files") returned 1 [0046.672] lstrcmpiW (lpString1="StateData", lpString2="Program Files (x86)") returned 1 [0046.672] wnsprintfW (in: pszDest=0x542af8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\StateData") returned 42 [0046.672] lstrcmpW (lpString1="StateData", lpString2=".") returned 1 [0046.672] lstrcmpW (lpString1="StateData", lpString2="..") returned 1 [0046.672] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\StateData", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0046.672] GetProcessHeap () returned 0x4e0000 [0046.672] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x400) returned 0x5306d0 [0046.672] wnsprintfW (in: pszDest=0x5306d0, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\StateData\\*") returned 44 [0046.672] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\StateData\\*", lpFindFileData=0x2d8ede8 | out: lpFindFileData=0x2d8ede8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfd9b5b52, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x2c82dc10, ftLastAccessTime.dwHighDateTime=0x1d593ef, ftLastWriteTime.dwLowDateTime=0x2c82dc10, ftLastWriteTime.dwHighDateTime=0x1d593ef, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5306c8, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x535b60 [0046.673] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0046.673] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0046.673] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0046.673] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0046.673] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0046.673] wnsprintfW (in: pszDest=0x5306d0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\StateData\\.") returned 44 [0046.673] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0046.673] FindNextFileW (in: hFindFile=0x535b60, lpFindFileData=0x2d8ede8 | out: lpFindFileData=0x2d8ede8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfd9b5b52, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x2c82dc10, ftLastAccessTime.dwHighDateTime=0x1d593ef, ftLastWriteTime.dwLowDateTime=0x2c82dc10, ftLastWriteTime.dwHighDateTime=0x1d593ef, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5306c8, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0046.673] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0046.673] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0046.673] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0046.673] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0046.673] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0046.673] wnsprintfW (in: pszDest=0x5306d0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\StateData\\..") returned 45 [0046.673] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0046.673] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0046.673] FindNextFileW (in: hFindFile=0x535b60, lpFindFileData=0x2d8ede8 | out: lpFindFileData=0x2d8ede8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xecb35800, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xecb35800, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xbddb7d60, ftLastWriteTime.dwHighDateTime=0x1d4d596, nFileSizeHigh=0x0, nFileSizeLow=0x85000, dwReserved0=0x5306c8, dwReserved1=0x0, cFileName="RacDatabase.sdf", cAlternateFileName="RACDAT~1.SDF")) returned 1 [0046.673] lstrcmpiW (lpString1="RacDatabase.sdf", lpString2="Windows") returned -1 [0046.673] lstrcmpiW (lpString1="RacDatabase.sdf", lpString2="$Recycle.bin") returned 1 [0046.673] lstrcmpiW (lpString1="RacDatabase.sdf", lpString2="System Volume Information") returned -1 [0046.673] lstrcmpiW (lpString1="RacDatabase.sdf", lpString2="Program Files") returned 1 [0046.673] lstrcmpiW (lpString1="RacDatabase.sdf", lpString2="Program Files (x86)") returned 1 [0046.673] wnsprintfW (in: pszDest=0x5306d0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\StateData\\RacDatabase.sdf") returned 58 [0046.673] StrStrIW (lpFirst="RacDatabase.sdf", lpSrch=".for") returned 0x0 [0046.673] lstrcmpW (lpString1="RacDatabase.sdf", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0046.673] lstrcmpW (lpString1="RacDatabase.sdf", lpString2="taridd") returned -1 [0046.673] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\StateData\\RacDatabase.sdf", lpStr2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\3pRMMVYZl7L6YCH05Qf1aBB2Nvhrv3", nChar=122) returned -1 [0046.673] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\StateData\\RacDatabase.sdf" (normalized: "c:\\programdata\\microsoft\\rac\\statedata\\racdatabase.sdf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0046.674] FindNextFileW (in: hFindFile=0x535b60, lpFindFileData=0x2d8ede8 | out: lpFindFileData=0x2d8ede8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x4e1e72ec, ftCreationTime.dwHighDateTime=0x1cb8927, ftLastAccessTime.dwLowDateTime=0x4e1e72ec, ftLastAccessTime.dwHighDateTime=0x1cb8927, ftLastWriteTime.dwLowDateTime=0xbddddec0, ftLastWriteTime.dwHighDateTime=0x1d4d596, nFileSizeHigh=0x0, nFileSizeLow=0x8, dwReserved0=0x5306c8, dwReserved1=0x0, cFileName="RacMetaData.dat", cAlternateFileName="RACMET~1.DAT")) returned 1 [0046.674] lstrcmpiW (lpString1="RacMetaData.dat", lpString2="Windows") returned -1 [0046.674] lstrcmpiW (lpString1="RacMetaData.dat", lpString2="$Recycle.bin") returned 1 [0046.674] lstrcmpiW (lpString1="RacMetaData.dat", lpString2="System Volume Information") returned -1 [0046.674] lstrcmpiW (lpString1="RacMetaData.dat", lpString2="Program Files") returned 1 [0046.674] lstrcmpiW (lpString1="RacMetaData.dat", lpString2="Program Files (x86)") returned 1 [0046.674] wnsprintfW (in: pszDest=0x5306d0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\StateData\\RacMetaData.dat") returned 58 [0046.674] StrStrIW (lpFirst="RacMetaData.dat", lpSrch=".for") returned 0x0 [0046.674] lstrcmpW (lpString1="RacMetaData.dat", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0046.674] lstrcmpW (lpString1="RacMetaData.dat", lpString2="taridd") returned -1 [0046.674] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\StateData\\RacMetaData.dat", lpStr2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\3pRMMVYZl7L6YCH05Qf1aBB2Nvhrv3", nChar=122) returned -1 [0046.674] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\StateData\\RacMetaData.dat" (normalized: "c:\\programdata\\microsoft\\rac\\statedata\\racmetadata.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0046.674] FindNextFileW (in: hFindFile=0x535b60, lpFindFileData=0x2d8ede8 | out: lpFindFileData=0x2d8ede8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x4e1e72ec, ftCreationTime.dwHighDateTime=0x1cb8927, ftLastAccessTime.dwLowDateTime=0x4e1e72ec, ftLastAccessTime.dwHighDateTime=0x1cb8927, ftLastWriteTime.dwLowDateTime=0xbddddec0, ftLastWriteTime.dwHighDateTime=0x1d4d596, nFileSizeHigh=0x0, nFileSizeLow=0x8, dwReserved0=0x5306c8, dwReserved1=0x0, cFileName="RacMetaData.dat", cAlternateFileName="RACMET~1.DAT")) returned 0 [0046.674] FindClose (in: hFindFile=0x535b60 | out: hFindFile=0x535b60) returned 1 [0046.674] wnsprintfW (in: pszDest=0x5306d0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\StateData\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 74 [0046.674] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\StateData\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\microsoft\\rac\\statedata\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x208 [0046.674] WriteFile (in: hFile=0x208, lpBuffer=0x186440*, nNumberOfBytesToWrite=0x2b0, lpNumberOfBytesWritten=0x2d8edb4, lpOverlapped=0x0 | out: lpBuffer=0x186440*, lpNumberOfBytesWritten=0x2d8edb4*=0x2b0, lpOverlapped=0x0) returned 1 [0046.675] CloseHandle (hObject=0x208) returned 1 [0046.675] GetProcessHeap () returned 0x4e0000 [0046.675] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x5306d0 | out: hHeap=0x4e0000) returned 1 [0046.675] FindNextFileW (in: hFindFile=0x535b20, lpFindFileData=0x2d8f070 | out: lpFindFileData=0x2d8f070*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfd9b5b52, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x2c9d0b30, ftLastAccessTime.dwHighDateTime=0x1d593ef, ftLastWriteTime.dwLowDateTime=0x2c9d0b30, ftLastWriteTime.dwHighDateTime=0x1d593ef, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Temp", cAlternateFileName="")) returned 1 [0046.675] lstrcmpiW (lpString1="Temp", lpString2="Windows") returned -1 [0046.675] lstrcmpiW (lpString1="Temp", lpString2="$Recycle.bin") returned 1 [0046.675] lstrcmpiW (lpString1="Temp", lpString2="System Volume Information") returned 1 [0046.676] lstrcmpiW (lpString1="Temp", lpString2="Program Files") returned 1 [0046.676] lstrcmpiW (lpString1="Temp", lpString2="Program Files (x86)") returned 1 [0046.676] wnsprintfW (in: pszDest=0x542af8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\Temp") returned 37 [0046.676] lstrcmpW (lpString1="Temp", lpString2=".") returned 1 [0046.676] lstrcmpW (lpString1="Temp", lpString2="..") returned 1 [0046.676] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\Temp", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0046.676] GetProcessHeap () returned 0x4e0000 [0046.676] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x400) returned 0x5306d0 [0046.676] wnsprintfW (in: pszDest=0x5306d0, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\Temp\\*") returned 39 [0046.676] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\Temp\\*", lpFindFileData=0x2d8ede8 | out: lpFindFileData=0x2d8ede8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfd9b5b52, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x2c9d0b30, ftLastAccessTime.dwHighDateTime=0x1d593ef, ftLastWriteTime.dwLowDateTime=0x2c9d0b30, ftLastWriteTime.dwHighDateTime=0x1d593ef, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5306c8, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x535b60 [0046.676] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0046.676] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0046.676] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0046.676] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0046.676] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0046.676] wnsprintfW (in: pszDest=0x5306d0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\Temp\\.") returned 39 [0046.676] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0046.676] FindNextFileW (in: hFindFile=0x535b60, lpFindFileData=0x2d8ede8 | out: lpFindFileData=0x2d8ede8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfd9b5b52, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x2c9d0b30, ftLastAccessTime.dwHighDateTime=0x1d593ef, ftLastWriteTime.dwLowDateTime=0x2c9d0b30, ftLastWriteTime.dwHighDateTime=0x1d593ef, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5306c8, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0046.676] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0046.676] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0046.676] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0046.676] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0046.676] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0046.676] wnsprintfW (in: pszDest=0x5306d0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\Temp\\..") returned 40 [0046.676] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0046.676] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0046.676] FindNextFileW (in: hFindFile=0x535b60, lpFindFileData=0x2d8ede8 | out: lpFindFileData=0x2d8ede8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x2c984870, ftCreationTime.dwHighDateTime=0x1d593ef, ftLastAccessTime.dwLowDateTime=0x2c984870, ftLastAccessTime.dwHighDateTime=0x1d593ef, ftLastWriteTime.dwLowDateTime=0x2c9aa9d0, ftLastWriteTime.dwHighDateTime=0x1d593ef, nFileSizeHigh=0x0, nFileSizeLow=0x5000, dwReserved0=0x5306c8, dwReserved1=0x0, cFileName="sql30C0.tmp", cAlternateFileName="")) returned 1 [0046.676] lstrcmpiW (lpString1="sql30C0.tmp", lpString2="Windows") returned -1 [0046.676] lstrcmpiW (lpString1="sql30C0.tmp", lpString2="$Recycle.bin") returned 1 [0046.676] lstrcmpiW (lpString1="sql30C0.tmp", lpString2="System Volume Information") returned -1 [0046.676] lstrcmpiW (lpString1="sql30C0.tmp", lpString2="Program Files") returned 1 [0046.677] lstrcmpiW (lpString1="sql30C0.tmp", lpString2="Program Files (x86)") returned 1 [0046.677] wnsprintfW (in: pszDest=0x5306d0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\Temp\\sql30C0.tmp") returned 49 [0046.677] StrStrIW (lpFirst="sql30C0.tmp", lpSrch=".for") returned 0x0 [0046.677] lstrcmpW (lpString1="sql30C0.tmp", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0046.677] lstrcmpW (lpString1="sql30C0.tmp", lpString2="taridd") returned -1 [0046.677] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\Temp\\sql30C0.tmp", lpStr2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\3pRMMVYZl7L6YCH05Qf1aBB2Nvhrv3", nChar=122) returned -1 [0046.677] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\Temp\\sql30C0.tmp" (normalized: "c:\\programdata\\microsoft\\rac\\temp\\sql30c0.tmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0046.677] FindNextFileW (in: hFindFile=0x535b60, lpFindFileData=0x2d8ede8 | out: lpFindFileData=0x2d8ede8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x2c9d0b30, ftCreationTime.dwHighDateTime=0x1d593ef, ftLastAccessTime.dwLowDateTime=0x2c9d0b30, ftLastAccessTime.dwHighDateTime=0x1d593ef, ftLastWriteTime.dwLowDateTime=0x2c9d0b30, ftLastWriteTime.dwHighDateTime=0x1d593ef, nFileSizeHigh=0x0, nFileSizeLow=0x5000, dwReserved0=0x5306c8, dwReserved1=0x0, cFileName="sql30E0.tmp", cAlternateFileName="")) returned 1 [0046.677] lstrcmpiW (lpString1="sql30E0.tmp", lpString2="Windows") returned -1 [0046.677] lstrcmpiW (lpString1="sql30E0.tmp", lpString2="$Recycle.bin") returned 1 [0046.677] lstrcmpiW (lpString1="sql30E0.tmp", lpString2="System Volume Information") returned -1 [0046.678] lstrcmpiW (lpString1="sql30E0.tmp", lpString2="Program Files") returned 1 [0046.678] lstrcmpiW (lpString1="sql30E0.tmp", lpString2="Program Files (x86)") returned 1 [0046.678] wnsprintfW (in: pszDest=0x5306d0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\Temp\\sql30E0.tmp") returned 49 [0046.678] StrStrIW (lpFirst="sql30E0.tmp", lpSrch=".for") returned 0x0 [0046.678] lstrcmpW (lpString1="sql30E0.tmp", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0046.678] lstrcmpW (lpString1="sql30E0.tmp", lpString2="taridd") returned -1 [0046.678] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\Temp\\sql30E0.tmp", lpStr2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\3pRMMVYZl7L6YCH05Qf1aBB2Nvhrv3", nChar=122) returned -1 [0046.678] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\Temp\\sql30E0.tmp" (normalized: "c:\\programdata\\microsoft\\rac\\temp\\sql30e0.tmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0046.678] FindNextFileW (in: hFindFile=0x535b60, lpFindFileData=0x2d8ede8 | out: lpFindFileData=0x2d8ede8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x2c9d0b30, ftCreationTime.dwHighDateTime=0x1d593ef, ftLastAccessTime.dwLowDateTime=0x2c9d0b30, ftLastAccessTime.dwHighDateTime=0x1d593ef, ftLastWriteTime.dwLowDateTime=0x2c9d0b30, ftLastWriteTime.dwHighDateTime=0x1d593ef, nFileSizeHigh=0x0, nFileSizeLow=0x5000, dwReserved0=0x5306c8, dwReserved1=0x0, cFileName="sql30E0.tmp", cAlternateFileName="")) returned 0 [0046.678] FindClose (in: hFindFile=0x535b60 | out: hFindFile=0x535b60) returned 1 [0046.678] wnsprintfW (in: pszDest=0x5306d0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\Temp\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 69 [0046.678] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\Temp\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\microsoft\\rac\\temp\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x208 [0047.070] WriteFile (in: hFile=0x208, lpBuffer=0x186440*, nNumberOfBytesToWrite=0x2b0, lpNumberOfBytesWritten=0x2d8edb4, lpOverlapped=0x0 | out: lpBuffer=0x186440*, lpNumberOfBytesWritten=0x2d8edb4*=0x2b0, lpOverlapped=0x0) returned 1 [0047.071] CloseHandle (hObject=0x208) returned 1 [0047.071] GetProcessHeap () returned 0x4e0000 [0047.071] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x5306d0 | out: hHeap=0x4e0000) returned 1 [0047.071] FindNextFileW (in: hFindFile=0x535b20, lpFindFileData=0x2d8f070 | out: lpFindFileData=0x2d8f070*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfd9b5b52, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x2c9d0b30, ftLastAccessTime.dwHighDateTime=0x1d593ef, ftLastWriteTime.dwLowDateTime=0x2c9d0b30, ftLastWriteTime.dwHighDateTime=0x1d593ef, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Temp", cAlternateFileName="")) returned 0 [0047.071] FindClose (in: hFindFile=0x535b20 | out: hFindFile=0x535b20) returned 1 [0047.071] wnsprintfW (in: pszDest=0x542af8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 64 [0047.071] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\microsoft\\rac\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x150 [0047.293] WriteFile (in: hFile=0x150, lpBuffer=0x186440*, nNumberOfBytesToWrite=0x2b0, lpNumberOfBytesWritten=0x2d8f03c, lpOverlapped=0x0 | out: lpBuffer=0x186440*, lpNumberOfBytesWritten=0x2d8f03c*=0x2b0, lpOverlapped=0x0) returned 1 [0047.294] CloseHandle (hObject=0x150) returned 1 [0047.294] GetProcessHeap () returned 0x4e0000 [0047.294] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x542af8 | out: hHeap=0x4e0000) returned 1 [0047.294] FindNextFileW (in: hFindFile=0x535ae0, lpFindFileData=0x2d8f2f8 | out: lpFindFileData=0x2d8f2f8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x27df8b60, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x27df8b60, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x27df8b60, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Search", cAlternateFileName="")) returned 1 [0047.294] lstrcmpiW (lpString1="Search", lpString2="Windows") returned -1 [0047.294] lstrcmpiW (lpString1="Search", lpString2="$Recycle.bin") returned 1 [0047.294] lstrcmpiW (lpString1="Search", lpString2="System Volume Information") returned -1 [0047.294] lstrcmpiW (lpString1="Search", lpString2="Program Files") returned 1 [0047.294] lstrcmpiW (lpString1="Search", lpString2="Program Files (x86)") returned 1 [0047.294] wnsprintfW (in: pszDest=0x511b40, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Search") returned 35 [0047.294] lstrcmpW (lpString1="Search", lpString2=".") returned 1 [0047.294] lstrcmpW (lpString1="Search", lpString2="..") returned 1 [0047.294] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Search", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0047.294] GetProcessHeap () returned 0x4e0000 [0047.295] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x400) returned 0x542af8 [0047.295] wnsprintfW (in: pszDest=0x542af8, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Search\\*") returned 37 [0047.295] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Search\\*", lpFindFileData=0x2d8f070 | out: lpFindFileData=0x2d8f070*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x27df8b60, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x27df8b60, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x27df8b60, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x535b20 [0047.298] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0047.298] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0047.298] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0047.298] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0047.298] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0047.298] wnsprintfW (in: pszDest=0x542af8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Search\\.") returned 37 [0047.299] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0047.299] FindNextFileW (in: hFindFile=0x535b20, lpFindFileData=0x2d8f070 | out: lpFindFileData=0x2d8f070*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x27df8b60, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x27df8b60, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x27df8b60, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0047.299] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0047.299] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0047.299] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0047.299] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0047.299] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0047.299] wnsprintfW (in: pszDest=0x542af8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Search\\..") returned 38 [0047.299] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0047.299] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0047.299] FindNextFileW (in: hFindFile=0x535b20, lpFindFileData=0x2d8f070 | out: lpFindFileData=0x2d8f070*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x27df8b60, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x27e6af80, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x27e6af80, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Data", cAlternateFileName="")) returned 1 [0047.299] lstrcmpiW (lpString1="Data", lpString2="Windows") returned -1 [0047.299] lstrcmpiW (lpString1="Data", lpString2="$Recycle.bin") returned 1 [0047.299] lstrcmpiW (lpString1="Data", lpString2="System Volume Information") returned -1 [0047.299] lstrcmpiW (lpString1="Data", lpString2="Program Files") returned -1 [0047.299] lstrcmpiW (lpString1="Data", lpString2="Program Files (x86)") returned -1 [0047.299] wnsprintfW (in: pszDest=0x542af8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Search\\Data") returned 40 [0047.299] lstrcmpW (lpString1="Data", lpString2=".") returned 1 [0047.299] lstrcmpW (lpString1="Data", lpString2="..") returned 1 [0047.299] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Search\\Data", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0047.299] GetProcessHeap () returned 0x4e0000 [0047.299] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x400) returned 0x5306d0 [0047.300] wnsprintfW (in: pszDest=0x5306d0, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Search\\Data\\*") returned 42 [0047.300] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Search\\Data\\*", lpFindFileData=0x2d8ede8 | out: lpFindFileData=0x2d8ede8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x27df8b60, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x27e6af80, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x27e6af80, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5306c8, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x535b60 [0047.300] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0047.300] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0047.300] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0047.300] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0047.300] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0047.300] wnsprintfW (in: pszDest=0x5306d0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Search\\Data\\.") returned 42 [0047.300] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0047.300] FindNextFileW (in: hFindFile=0x535b60, lpFindFileData=0x2d8ede8 | out: lpFindFileData=0x2d8ede8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x27df8b60, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x27e6af80, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x27e6af80, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5306c8, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0047.300] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0047.300] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0047.300] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0047.300] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0047.300] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0047.300] wnsprintfW (in: pszDest=0x5306d0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Search\\Data\\..") returned 43 [0047.300] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0047.300] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0047.300] FindNextFileW (in: hFindFile=0x535b60, lpFindFileData=0x2d8ede8 | out: lpFindFileData=0x2d8ede8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x27e6af80, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x27e6af80, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x27e6af80, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5306c8, dwReserved1=0x0, cFileName="Applications", cAlternateFileName="APPLIC~1")) returned 1 [0047.300] lstrcmpiW (lpString1="Applications", lpString2="Windows") returned -1 [0047.300] lstrcmpiW (lpString1="Applications", lpString2="$Recycle.bin") returned 1 [0047.300] lstrcmpiW (lpString1="Applications", lpString2="System Volume Information") returned -1 [0047.300] lstrcmpiW (lpString1="Applications", lpString2="Program Files") returned -1 [0047.300] lstrcmpiW (lpString1="Applications", lpString2="Program Files (x86)") returned -1 [0047.300] wnsprintfW (in: pszDest=0x5306d0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Search\\Data\\Applications") returned 53 [0047.300] lstrcmpW (lpString1="Applications", lpString2=".") returned 1 [0047.300] lstrcmpW (lpString1="Applications", lpString2="..") returned 1 [0047.300] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Search\\Data\\Applications", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0047.300] GetProcessHeap () returned 0x4e0000 [0047.300] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x400) returned 0x543228 [0047.301] wnsprintfW (in: pszDest=0x543228, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Search\\Data\\Applications\\*") returned 55 [0047.301] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Search\\Data\\Applications\\*", lpFindFileData=0x2d8eb60 | out: lpFindFileData=0x2d8eb60*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x27e6af80, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x27e6af80, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x27e6af80, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5064d8, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x535ba0 [0047.306] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0047.306] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0047.306] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0047.306] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0047.306] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0047.306] wnsprintfW (in: pszDest=0x543228, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Search\\Data\\Applications\\.") returned 55 [0047.306] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0047.306] FindNextFileW (in: hFindFile=0x535ba0, lpFindFileData=0x2d8eb60 | out: lpFindFileData=0x2d8eb60*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x27e6af80, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x27e6af80, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x27e6af80, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5064d8, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0047.306] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0047.306] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0047.306] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0047.306] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0047.306] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0047.306] wnsprintfW (in: pszDest=0x543228, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Search\\Data\\Applications\\..") returned 56 [0047.306] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0047.306] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0047.306] FindNextFileW (in: hFindFile=0x535ba0, lpFindFileData=0x2d8eb60 | out: lpFindFileData=0x2d8eb60*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x27e6af80, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x29612a20, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x29612a20, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5064d8, dwReserved1=0x0, cFileName="Windows", cAlternateFileName="")) returned 1 [0047.306] lstrcmpiW (lpString1="Windows", lpString2="Windows") returned 0 [0047.306] FindNextFileW (in: hFindFile=0x535ba0, lpFindFileData=0x2d8eb60 | out: lpFindFileData=0x2d8eb60*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x27e6af80, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x29612a20, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x29612a20, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5064d8, dwReserved1=0x0, cFileName="Windows", cAlternateFileName="")) returned 0 [0047.307] FindClose (in: hFindFile=0x535ba0 | out: hFindFile=0x535ba0) returned 1 [0047.307] wnsprintfW (in: pszDest=0x543228, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Search\\Data\\Applications\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 85 [0047.307] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Search\\Data\\Applications\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\microsoft\\search\\data\\applications\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x204 [0047.307] WriteFile (in: hFile=0x204, lpBuffer=0x186440*, nNumberOfBytesToWrite=0x2b0, lpNumberOfBytesWritten=0x2d8eb2c, lpOverlapped=0x0 | out: lpBuffer=0x186440*, lpNumberOfBytesWritten=0x2d8eb2c*=0x2b0, lpOverlapped=0x0) returned 1 [0047.308] CloseHandle (hObject=0x204) returned 1 [0047.308] GetProcessHeap () returned 0x4e0000 [0047.308] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x543228 | out: hHeap=0x4e0000) returned 1 [0047.308] FindNextFileW (in: hFindFile=0x535b60, lpFindFileData=0x2d8ede8 | out: lpFindFileData=0x2d8ede8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x27e1ecc0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x27e1ecc0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x27e1ecc0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5306c8, dwReserved1=0x0, cFileName="Temp", cAlternateFileName="")) returned 1 [0047.308] lstrcmpiW (lpString1="Temp", lpString2="Windows") returned -1 [0047.308] lstrcmpiW (lpString1="Temp", lpString2="$Recycle.bin") returned 1 [0047.308] lstrcmpiW (lpString1="Temp", lpString2="System Volume Information") returned 1 [0047.308] lstrcmpiW (lpString1="Temp", lpString2="Program Files") returned 1 [0047.308] lstrcmpiW (lpString1="Temp", lpString2="Program Files (x86)") returned 1 [0047.308] wnsprintfW (in: pszDest=0x5306d0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Search\\Data\\Temp") returned 45 [0047.308] lstrcmpW (lpString1="Temp", lpString2=".") returned 1 [0047.308] lstrcmpW (lpString1="Temp", lpString2="..") returned 1 [0047.308] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Search\\Data\\Temp", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0047.308] GetProcessHeap () returned 0x4e0000 [0047.308] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x400) returned 0x543228 [0047.308] wnsprintfW (in: pszDest=0x543228, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Search\\Data\\Temp\\*") returned 47 [0047.308] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Search\\Data\\Temp\\*", lpFindFileData=0x2d8eb60 | out: lpFindFileData=0x2d8eb60*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x27e1ecc0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x27e1ecc0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x422b7290, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5064d8, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x535ba0 [0047.308] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0047.308] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0047.308] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0047.308] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0047.308] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0047.308] wnsprintfW (in: pszDest=0x543228, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Search\\Data\\Temp\\.") returned 47 [0047.309] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0047.309] FindNextFileW (in: hFindFile=0x535ba0, lpFindFileData=0x2d8eb60 | out: lpFindFileData=0x2d8eb60*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x27e1ecc0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x27e1ecc0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x422b7290, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5064d8, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0047.309] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0047.309] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0047.309] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0047.309] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0047.309] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0047.309] wnsprintfW (in: pszDest=0x543228, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Search\\Data\\Temp\\..") returned 48 [0047.309] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0047.309] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0047.309] FindNextFileW (in: hFindFile=0x535ba0, lpFindFileData=0x2d8eb60 | out: lpFindFileData=0x2d8eb60*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x27e1ecc0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x27e1ecc0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x422b7290, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5064d8, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0 [0047.309] FindClose (in: hFindFile=0x535ba0 | out: hFindFile=0x535ba0) returned 1 [0047.309] wnsprintfW (in: pszDest=0x543228, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Search\\Data\\Temp\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 77 [0047.309] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Search\\Data\\Temp\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\microsoft\\search\\data\\temp\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x204 [0047.336] WriteFile (in: hFile=0x204, lpBuffer=0x186440*, nNumberOfBytesToWrite=0x2b0, lpNumberOfBytesWritten=0x2d8eb2c, lpOverlapped=0x0 | out: lpBuffer=0x186440*, lpNumberOfBytesWritten=0x2d8eb2c*=0x2b0, lpOverlapped=0x0) returned 1 [0047.337] CloseHandle (hObject=0x204) returned 1 [0047.337] GetProcessHeap () returned 0x4e0000 [0047.337] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x543228 | out: hHeap=0x4e0000) returned 1 [0047.337] FindNextFileW (in: hFindFile=0x535b60, lpFindFileData=0x2d8ede8 | out: lpFindFileData=0x2d8ede8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x27e1ecc0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x27e1ecc0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x27e1ecc0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5306c8, dwReserved1=0x0, cFileName="Temp", cAlternateFileName="")) returned 0 [0047.337] FindClose (in: hFindFile=0x535b60 | out: hFindFile=0x535b60) returned 1 [0047.337] wnsprintfW (in: pszDest=0x5306d0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Search\\Data\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 72 [0047.337] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Search\\Data\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\microsoft\\search\\data\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x208 [0047.337] WriteFile (in: hFile=0x208, lpBuffer=0x186440*, nNumberOfBytesToWrite=0x2b0, lpNumberOfBytesWritten=0x2d8edb4, lpOverlapped=0x0 | out: lpBuffer=0x186440*, lpNumberOfBytesWritten=0x2d8edb4*=0x2b0, lpOverlapped=0x0) returned 1 [0047.338] CloseHandle (hObject=0x208) returned 1 [0047.338] GetProcessHeap () returned 0x4e0000 [0047.338] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x5306d0 | out: hHeap=0x4e0000) returned 1 [0047.338] FindNextFileW (in: hFindFile=0x535b20, lpFindFileData=0x2d8f070 | out: lpFindFileData=0x2d8f070*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x27df8b60, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x27e6af80, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x27e6af80, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Data", cAlternateFileName="")) returned 0 [0047.338] FindClose (in: hFindFile=0x535b20 | out: hFindFile=0x535b20) returned 1 [0047.338] wnsprintfW (in: pszDest=0x542af8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Search\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 67 [0047.338] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Search\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\microsoft\\search\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x150 [0047.339] WriteFile (in: hFile=0x150, lpBuffer=0x186440*, nNumberOfBytesToWrite=0x2b0, lpNumberOfBytesWritten=0x2d8f03c, lpOverlapped=0x0 | out: lpBuffer=0x186440*, lpNumberOfBytesWritten=0x2d8f03c*=0x2b0, lpOverlapped=0x0) returned 1 [0047.339] CloseHandle (hObject=0x150) returned 1 [0047.339] GetProcessHeap () returned 0x4e0000 [0047.339] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x542af8 | out: hHeap=0x4e0000) returned 1 [0047.339] FindNextFileW (in: hFindFile=0x535ae0, lpFindFileData=0x2d8f2f8 | out: lpFindFileData=0x2d8f2f8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfd9b5b52, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x29423840, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x29423840, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="User Account Pictures", cAlternateFileName="USERAC~1")) returned 1 [0047.339] lstrcmpiW (lpString1="User Account Pictures", lpString2="Windows") returned -1 [0047.340] lstrcmpiW (lpString1="User Account Pictures", lpString2="$Recycle.bin") returned 1 [0047.340] lstrcmpiW (lpString1="User Account Pictures", lpString2="System Volume Information") returned 1 [0047.340] lstrcmpiW (lpString1="User Account Pictures", lpString2="Program Files") returned 1 [0047.340] lstrcmpiW (lpString1="User Account Pictures", lpString2="Program Files (x86)") returned 1 [0047.340] wnsprintfW (in: pszDest=0x511b40, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures") returned 50 [0047.340] lstrcmpW (lpString1="User Account Pictures", lpString2=".") returned 1 [0047.340] lstrcmpW (lpString1="User Account Pictures", lpString2="..") returned 1 [0047.340] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0047.340] GetProcessHeap () returned 0x4e0000 [0047.340] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x400) returned 0x542af8 [0047.340] wnsprintfW (in: pszDest=0x542af8, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\*") returned 52 [0047.340] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\*", lpFindFileData=0x2d8f070 | out: lpFindFileData=0x2d8f070*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfd9b5b52, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x29423840, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x29423840, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x535b20 [0047.340] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0047.340] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0047.340] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0047.340] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0047.340] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0047.340] wnsprintfW (in: pszDest=0x542af8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\.") returned 52 [0047.340] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0047.340] FindNextFileW (in: hFindFile=0x535b20, lpFindFileData=0x2d8f070 | out: lpFindFileData=0x2d8f070*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfd9b5b52, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x29423840, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x29423840, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0047.340] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0047.340] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0047.340] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0047.340] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0047.340] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0047.340] wnsprintfW (in: pszDest=0x542af8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\..") returned 53 [0047.340] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0047.340] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0047.340] FindNextFileW (in: hFindFile=0x535b20, lpFindFileData=0x2d8f070 | out: lpFindFileData=0x2d8f070*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x29423840, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x29423840, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x29423840, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="5p5NrGJn0jS HALPmcxz.dat", cAlternateFileName="5P5NRG~1.DAT")) returned 1 [0047.340] lstrcmpiW (lpString1="5p5NrGJn0jS HALPmcxz.dat", lpString2="Windows") returned -1 [0047.340] lstrcmpiW (lpString1="5p5NrGJn0jS HALPmcxz.dat", lpString2="$Recycle.bin") returned 1 [0047.340] lstrcmpiW (lpString1="5p5NrGJn0jS HALPmcxz.dat", lpString2="System Volume Information") returned -1 [0047.340] lstrcmpiW (lpString1="5p5NrGJn0jS HALPmcxz.dat", lpString2="Program Files") returned -1 [0047.340] lstrcmpiW (lpString1="5p5NrGJn0jS HALPmcxz.dat", lpString2="Program Files (x86)") returned -1 [0047.340] wnsprintfW (in: pszDest=0x542af8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\5p5NrGJn0jS HALPmcxz.dat") returned 75 [0047.341] StrStrIW (lpFirst="5p5NrGJn0jS HALPmcxz.dat", lpSrch=".for") returned 0x0 [0047.341] lstrcmpW (lpString1="5p5NrGJn0jS HALPmcxz.dat", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0047.341] lstrcmpW (lpString1="5p5NrGJn0jS HALPmcxz.dat", lpString2="taridd") returned -1 [0047.341] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\5p5NrGJn0jS HALPmcxz.dat", lpStr2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\3pRMMVYZl7L6YCH05Qf1aBB2Nvhrv3", nChar=122) returned -1 [0047.341] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\5p5NrGJn0jS HALPmcxz.dat" (normalized: "c:\\programdata\\microsoft\\user account pictures\\5p5nrgjn0js halpmcxz.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x208 [0047.361] GetTickCount () returned 0x114649d [0047.362] GetTickCount () returned 0x114649d [0047.362] GetTickCount () returned 0x114649d [0047.362] GetTickCount () returned 0x114649d [0047.362] CryptEncrypt (in: hKey=0x4ff5a8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d8ef80*, pdwDataLen=0x2d8f030*=0x2c, dwBufLen=0x80 | out: pbData=0x2d8ef80*, pdwDataLen=0x2d8f030*=0x80) returned 1 [0047.362] GetProcessHeap () returned 0x4e0000 [0047.362] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x2800) returned 0x5064d8 [0047.362] ReadFile (in: hFile=0x208, lpBuffer=0x5064d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x5064d8*, lpNumberOfBytesRead=0x2d8f034*=0x0, lpOverlapped=0x0) returned 1 [0047.362] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0047.362] WriteFile (in: hFile=0x208, lpBuffer=0x5064d8*, nNumberOfBytesToWrite=0x0, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x5064d8*, lpNumberOfBytesWritten=0x2d8f034*=0x0, lpOverlapped=0x0) returned 1 [0047.362] GetProcessHeap () returned 0x4e0000 [0047.362] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x5064d8 | out: hHeap=0x4e0000) returned 1 [0047.362] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0047.362] WriteFile (in: hFile=0x208, lpBuffer=0x4ffe10*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x4ffe10*, lpNumberOfBytesWritten=0x2d8f034*=0x300, lpOverlapped=0x0) returned 1 [0047.363] WriteFile (in: hFile=0x208, lpBuffer=0x2d8ef80*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x2d8ef80*, lpNumberOfBytesWritten=0x2d8f034*=0x80, lpOverlapped=0x0) returned 1 [0047.363] WriteFile (in: hFile=0x208, lpBuffer=0x186230*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x186230*, lpNumberOfBytesWritten=0x2d8f034*=0x4, lpOverlapped=0x0) returned 1 [0047.363] CloseHandle (hObject=0x208) returned 1 [0047.363] GetProcessHeap () returned 0x4e0000 [0047.363] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x400) returned 0x5306d0 [0047.363] wnsprintfW (in: pszDest=0x5306d0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\5p5NrGJn0jS HALPmcxz.dat_forv_{KNUJ5K}.for") returned 93 [0047.363] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\5p5NrGJn0jS HALPmcxz.dat" (normalized: "c:\\programdata\\microsoft\\user account pictures\\5p5nrgjn0js halpmcxz.dat"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\5p5NrGJn0jS HALPmcxz.dat_forv_{KNUJ5K}.for" (normalized: "c:\\programdata\\microsoft\\user account pictures\\5p5nrgjn0js halpmcxz.dat_forv_{knuj5k}.for")) returned 1 [0047.364] GetProcessHeap () returned 0x4e0000 [0047.364] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x5306d0 | out: hHeap=0x4e0000) returned 1 [0047.364] FindNextFileW (in: hFindFile=0x535b20, lpFindFileData=0x2d8f070 | out: lpFindFileData=0x2d8f070*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x80366a76, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x80366a76, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Default Pictures", cAlternateFileName="DEFAUL~1")) returned 1 [0047.364] lstrcmpiW (lpString1="Default Pictures", lpString2="Windows") returned -1 [0047.364] lstrcmpiW (lpString1="Default Pictures", lpString2="$Recycle.bin") returned 1 [0047.364] lstrcmpiW (lpString1="Default Pictures", lpString2="System Volume Information") returned -1 [0047.364] lstrcmpiW (lpString1="Default Pictures", lpString2="Program Files") returned -1 [0047.364] lstrcmpiW (lpString1="Default Pictures", lpString2="Program Files (x86)") returned -1 [0047.364] wnsprintfW (in: pszDest=0x542af8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures") returned 67 [0047.364] lstrcmpW (lpString1="Default Pictures", lpString2=".") returned 1 [0047.364] lstrcmpW (lpString1="Default Pictures", lpString2="..") returned 1 [0047.364] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0047.364] GetProcessHeap () returned 0x4e0000 [0047.364] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x400) returned 0x5306d0 [0047.364] wnsprintfW (in: pszDest=0x5306d0, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\*") returned 69 [0047.364] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\*", lpFindFileData=0x2d8ede8 | out: lpFindFileData=0x2d8ede8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x80366a76, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x80366a76, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5306c8, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x535b60 [0047.370] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0047.371] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0047.371] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0047.371] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0047.371] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0047.371] wnsprintfW (in: pszDest=0x5306d0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\.") returned 69 [0047.371] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0047.371] FindNextFileW (in: hFindFile=0x535b60, lpFindFileData=0x2d8ede8 | out: lpFindFileData=0x2d8ede8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x80366a76, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x80366a76, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5306c8, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0047.371] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0047.371] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0047.371] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0047.371] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0047.371] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0047.371] wnsprintfW (in: pszDest=0x5306d0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\..") returned 70 [0047.371] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0047.371] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0047.372] FindNextFileW (in: hFindFile=0x535b60, lpFindFileData=0x2d8ede8 | out: lpFindFileData=0x2d8ede8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae24f474, ftCreationTime.dwHighDateTime=0x1ca040d, ftLastAccessTime.dwLowDateTime=0xae24f474, ftLastAccessTime.dwHighDateTime=0x1ca040d, ftLastWriteTime.dwLowDateTime=0xda0a8861, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0xc038, dwReserved0=0x5306c8, dwReserved1=0x0, cFileName="usertile10.bmp", cAlternateFileName="")) returned 1 [0047.372] lstrcmpiW (lpString1="usertile10.bmp", lpString2="Windows") returned -1 [0047.372] lstrcmpiW (lpString1="usertile10.bmp", lpString2="$Recycle.bin") returned 1 [0047.372] lstrcmpiW (lpString1="usertile10.bmp", lpString2="System Volume Information") returned 1 [0047.372] lstrcmpiW (lpString1="usertile10.bmp", lpString2="Program Files") returned 1 [0047.372] lstrcmpiW (lpString1="usertile10.bmp", lpString2="Program Files (x86)") returned 1 [0047.372] wnsprintfW (in: pszDest=0x5306d0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile10.bmp") returned 82 [0047.372] StrStrIW (lpFirst="usertile10.bmp", lpSrch=".for") returned 0x0 [0047.372] lstrcmpW (lpString1="usertile10.bmp", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0047.372] lstrcmpW (lpString1="usertile10.bmp", lpString2="taridd") returned 1 [0047.372] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile10.bmp", lpStr2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\3pRMMVYZl7L6YCH05Qf1aBB2Nvhrv3", nChar=122) returned -1 [0047.372] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile10.bmp" (normalized: "c:\\programdata\\microsoft\\user account pictures\\default pictures\\usertile10.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0047.374] FindNextFileW (in: hFindFile=0x535b60, lpFindFileData=0x2d8ede8 | out: lpFindFileData=0x2d8ede8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae24f474, ftCreationTime.dwHighDateTime=0x1ca040d, ftLastAccessTime.dwLowDateTime=0xae24f474, ftLastAccessTime.dwHighDateTime=0x1ca040d, ftLastWriteTime.dwLowDateTime=0xdb5a2927, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0xc038, dwReserved0=0x5306c8, dwReserved1=0x0, cFileName="usertile11.bmp", cAlternateFileName="")) returned 1 [0047.374] lstrcmpiW (lpString1="usertile11.bmp", lpString2="Windows") returned -1 [0047.374] lstrcmpiW (lpString1="usertile11.bmp", lpString2="$Recycle.bin") returned 1 [0047.374] lstrcmpiW (lpString1="usertile11.bmp", lpString2="System Volume Information") returned 1 [0047.374] lstrcmpiW (lpString1="usertile11.bmp", lpString2="Program Files") returned 1 [0047.374] lstrcmpiW (lpString1="usertile11.bmp", lpString2="Program Files (x86)") returned 1 [0047.374] wnsprintfW (in: pszDest=0x5306d0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile11.bmp") returned 82 [0047.374] StrStrIW (lpFirst="usertile11.bmp", lpSrch=".for") returned 0x0 [0047.374] lstrcmpW (lpString1="usertile11.bmp", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0047.374] lstrcmpW (lpString1="usertile11.bmp", lpString2="taridd") returned 1 [0047.374] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile11.bmp", lpStr2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\3pRMMVYZl7L6YCH05Qf1aBB2Nvhrv3", nChar=122) returned -1 [0047.374] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile11.bmp" (normalized: "c:\\programdata\\microsoft\\user account pictures\\default pictures\\usertile11.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0047.375] FindNextFileW (in: hFindFile=0x535b60, lpFindFileData=0x2d8ede8 | out: lpFindFileData=0x2d8ede8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae2755d1, ftCreationTime.dwHighDateTime=0x1ca040d, ftLastAccessTime.dwLowDateTime=0xae2755d1, ftLastAccessTime.dwHighDateTime=0x1ca040d, ftLastWriteTime.dwLowDateTime=0xdb6d3417, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0xc038, dwReserved0=0x5306c8, dwReserved1=0x0, cFileName="usertile12.bmp", cAlternateFileName="")) returned 1 [0047.375] lstrcmpiW (lpString1="usertile12.bmp", lpString2="Windows") returned -1 [0047.375] lstrcmpiW (lpString1="usertile12.bmp", lpString2="$Recycle.bin") returned 1 [0047.375] lstrcmpiW (lpString1="usertile12.bmp", lpString2="System Volume Information") returned 1 [0047.375] lstrcmpiW (lpString1="usertile12.bmp", lpString2="Program Files") returned 1 [0047.375] lstrcmpiW (lpString1="usertile12.bmp", lpString2="Program Files (x86)") returned 1 [0047.375] wnsprintfW (in: pszDest=0x5306d0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile12.bmp") returned 82 [0047.375] StrStrIW (lpFirst="usertile12.bmp", lpSrch=".for") returned 0x0 [0047.375] lstrcmpW (lpString1="usertile12.bmp", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0047.375] lstrcmpW (lpString1="usertile12.bmp", lpString2="taridd") returned 1 [0047.375] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile12.bmp", lpStr2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\3pRMMVYZl7L6YCH05Qf1aBB2Nvhrv3", nChar=122) returned -1 [0047.375] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile12.bmp" (normalized: "c:\\programdata\\microsoft\\user account pictures\\default pictures\\usertile12.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0047.375] FindNextFileW (in: hFindFile=0x535b60, lpFindFileData=0x2d8ede8 | out: lpFindFileData=0x2d8ede8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae29b72e, ftCreationTime.dwHighDateTime=0x1ca040d, ftLastAccessTime.dwLowDateTime=0xae29b72e, ftLastAccessTime.dwHighDateTime=0x1ca040d, ftLastWriteTime.dwLowDateTime=0xdb76b98f, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0xbeb8, dwReserved0=0x5306c8, dwReserved1=0x0, cFileName="usertile13.bmp", cAlternateFileName="")) returned 1 [0047.375] lstrcmpiW (lpString1="usertile13.bmp", lpString2="Windows") returned -1 [0047.375] lstrcmpiW (lpString1="usertile13.bmp", lpString2="$Recycle.bin") returned 1 [0047.375] lstrcmpiW (lpString1="usertile13.bmp", lpString2="System Volume Information") returned 1 [0047.375] lstrcmpiW (lpString1="usertile13.bmp", lpString2="Program Files") returned 1 [0047.375] lstrcmpiW (lpString1="usertile13.bmp", lpString2="Program Files (x86)") returned 1 [0047.375] wnsprintfW (in: pszDest=0x5306d0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile13.bmp") returned 82 [0047.375] StrStrIW (lpFirst="usertile13.bmp", lpSrch=".for") returned 0x0 [0047.375] lstrcmpW (lpString1="usertile13.bmp", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0047.375] lstrcmpW (lpString1="usertile13.bmp", lpString2="taridd") returned 1 [0047.375] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile13.bmp", lpStr2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\3pRMMVYZl7L6YCH05Qf1aBB2Nvhrv3", nChar=122) returned -1 [0047.375] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile13.bmp" (normalized: "c:\\programdata\\microsoft\\user account pictures\\default pictures\\usertile13.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0047.375] FindNextFileW (in: hFindFile=0x535b60, lpFindFileData=0x2d8ede8 | out: lpFindFileData=0x2d8ede8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae2e79e8, ftCreationTime.dwHighDateTime=0x1ca040d, ftLastAccessTime.dwLowDateTime=0xae2e79e8, ftLastAccessTime.dwHighDateTime=0x1ca040d, ftLastWriteTime.dwLowDateTime=0xdb82a065, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0xc038, dwReserved0=0x5306c8, dwReserved1=0x0, cFileName="usertile14.bmp", cAlternateFileName="")) returned 1 [0047.375] lstrcmpiW (lpString1="usertile14.bmp", lpString2="Windows") returned -1 [0047.375] lstrcmpiW (lpString1="usertile14.bmp", lpString2="$Recycle.bin") returned 1 [0047.375] lstrcmpiW (lpString1="usertile14.bmp", lpString2="System Volume Information") returned 1 [0047.375] lstrcmpiW (lpString1="usertile14.bmp", lpString2="Program Files") returned 1 [0047.375] lstrcmpiW (lpString1="usertile14.bmp", lpString2="Program Files (x86)") returned 1 [0047.376] wnsprintfW (in: pszDest=0x5306d0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile14.bmp") returned 82 [0047.376] StrStrIW (lpFirst="usertile14.bmp", lpSrch=".for") returned 0x0 [0047.376] lstrcmpW (lpString1="usertile14.bmp", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0047.376] lstrcmpW (lpString1="usertile14.bmp", lpString2="taridd") returned 1 [0047.376] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile14.bmp", lpStr2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\3pRMMVYZl7L6YCH05Qf1aBB2Nvhrv3", nChar=122) returned -1 [0047.376] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile14.bmp" (normalized: "c:\\programdata\\microsoft\\user account pictures\\default pictures\\usertile14.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0047.379] FindNextFileW (in: hFindFile=0x535b60, lpFindFileData=0x2d8ede8 | out: lpFindFileData=0x2d8ede8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae2e79e8, ftCreationTime.dwHighDateTime=0x1ca040d, ftLastAccessTime.dwLowDateTime=0xae2e79e8, ftLastAccessTime.dwHighDateTime=0x1ca040d, ftLastWriteTime.dwLowDateTime=0xdbb95fd7, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0xc038, dwReserved0=0x5306c8, dwReserved1=0x0, cFileName="usertile15.bmp", cAlternateFileName="")) returned 1 [0047.379] lstrcmpiW (lpString1="usertile15.bmp", lpString2="Windows") returned -1 [0047.379] lstrcmpiW (lpString1="usertile15.bmp", lpString2="$Recycle.bin") returned 1 [0047.379] lstrcmpiW (lpString1="usertile15.bmp", lpString2="System Volume Information") returned 1 [0047.379] lstrcmpiW (lpString1="usertile15.bmp", lpString2="Program Files") returned 1 [0047.379] lstrcmpiW (lpString1="usertile15.bmp", lpString2="Program Files (x86)") returned 1 [0047.379] wnsprintfW (in: pszDest=0x5306d0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile15.bmp") returned 82 [0047.379] StrStrIW (lpFirst="usertile15.bmp", lpSrch=".for") returned 0x0 [0047.380] lstrcmpW (lpString1="usertile15.bmp", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0047.380] lstrcmpW (lpString1="usertile15.bmp", lpString2="taridd") returned 1 [0047.380] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile15.bmp", lpStr2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\3pRMMVYZl7L6YCH05Qf1aBB2Nvhrv3", nChar=122) returned -1 [0047.380] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile15.bmp" (normalized: "c:\\programdata\\microsoft\\user account pictures\\default pictures\\usertile15.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0047.380] FindNextFileW (in: hFindFile=0x535b60, lpFindFileData=0x2d8ede8 | out: lpFindFileData=0x2d8ede8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae30db45, ftCreationTime.dwHighDateTime=0x1ca040d, ftLastAccessTime.dwLowDateTime=0xae30db45, ftLastAccessTime.dwHighDateTime=0x1ca040d, ftLastWriteTime.dwLowDateTime=0xdca9c9ed, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0xc038, dwReserved0=0x5306c8, dwReserved1=0x0, cFileName="usertile16.bmp", cAlternateFileName="")) returned 1 [0047.380] lstrcmpiW (lpString1="usertile16.bmp", lpString2="Windows") returned -1 [0047.380] lstrcmpiW (lpString1="usertile16.bmp", lpString2="$Recycle.bin") returned 1 [0047.380] lstrcmpiW (lpString1="usertile16.bmp", lpString2="System Volume Information") returned 1 [0047.380] lstrcmpiW (lpString1="usertile16.bmp", lpString2="Program Files") returned 1 [0047.380] lstrcmpiW (lpString1="usertile16.bmp", lpString2="Program Files (x86)") returned 1 [0047.380] wnsprintfW (in: pszDest=0x5306d0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile16.bmp") returned 82 [0047.380] StrStrIW (lpFirst="usertile16.bmp", lpSrch=".for") returned 0x0 [0047.380] lstrcmpW (lpString1="usertile16.bmp", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0047.380] lstrcmpW (lpString1="usertile16.bmp", lpString2="taridd") returned 1 [0047.380] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile16.bmp", lpStr2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\3pRMMVYZl7L6YCH05Qf1aBB2Nvhrv3", nChar=122) returned -1 [0047.380] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile16.bmp" (normalized: "c:\\programdata\\microsoft\\user account pictures\\default pictures\\usertile16.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0047.380] FindNextFileW (in: hFindFile=0x535b60, lpFindFileData=0x2d8ede8 | out: lpFindFileData=0x2d8ede8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae333ca2, ftCreationTime.dwHighDateTime=0x1ca040d, ftLastAccessTime.dwLowDateTime=0xae333ca2, ftLastAccessTime.dwHighDateTime=0x1ca040d, ftLastWriteTime.dwLowDateTime=0xdcc3f8f7, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0xc038, dwReserved0=0x5306c8, dwReserved1=0x0, cFileName="usertile17.bmp", cAlternateFileName="")) returned 1 [0047.380] lstrcmpiW (lpString1="usertile17.bmp", lpString2="Windows") returned -1 [0047.380] lstrcmpiW (lpString1="usertile17.bmp", lpString2="$Recycle.bin") returned 1 [0047.380] lstrcmpiW (lpString1="usertile17.bmp", lpString2="System Volume Information") returned 1 [0047.380] lstrcmpiW (lpString1="usertile17.bmp", lpString2="Program Files") returned 1 [0047.380] lstrcmpiW (lpString1="usertile17.bmp", lpString2="Program Files (x86)") returned 1 [0047.380] wnsprintfW (in: pszDest=0x5306d0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile17.bmp") returned 82 [0047.380] StrStrIW (lpFirst="usertile17.bmp", lpSrch=".for") returned 0x0 [0047.380] lstrcmpW (lpString1="usertile17.bmp", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0047.380] lstrcmpW (lpString1="usertile17.bmp", lpString2="taridd") returned 1 [0047.380] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile17.bmp", lpStr2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\3pRMMVYZl7L6YCH05Qf1aBB2Nvhrv3", nChar=122) returned -1 [0047.380] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile17.bmp" (normalized: "c:\\programdata\\microsoft\\user account pictures\\default pictures\\usertile17.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0047.380] FindNextFileW (in: hFindFile=0x535b60, lpFindFileData=0x2d8ede8 | out: lpFindFileData=0x2d8ede8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae333ca2, ftCreationTime.dwHighDateTime=0x1ca040d, ftLastAccessTime.dwLowDateTime=0xae333ca2, ftLastAccessTime.dwHighDateTime=0x1ca040d, ftLastWriteTime.dwLowDateTime=0xdcc65a55, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0xc038, dwReserved0=0x5306c8, dwReserved1=0x0, cFileName="usertile18.bmp", cAlternateFileName="")) returned 1 [0047.381] lstrcmpiW (lpString1="usertile18.bmp", lpString2="Windows") returned -1 [0047.381] lstrcmpiW (lpString1="usertile18.bmp", lpString2="$Recycle.bin") returned 1 [0047.381] lstrcmpiW (lpString1="usertile18.bmp", lpString2="System Volume Information") returned 1 [0047.381] lstrcmpiW (lpString1="usertile18.bmp", lpString2="Program Files") returned 1 [0047.381] lstrcmpiW (lpString1="usertile18.bmp", lpString2="Program Files (x86)") returned 1 [0047.381] wnsprintfW (in: pszDest=0x5306d0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile18.bmp") returned 82 [0047.381] StrStrIW (lpFirst="usertile18.bmp", lpSrch=".for") returned 0x0 [0047.381] lstrcmpW (lpString1="usertile18.bmp", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0047.381] lstrcmpW (lpString1="usertile18.bmp", lpString2="taridd") returned 1 [0047.381] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile18.bmp", lpStr2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\3pRMMVYZl7L6YCH05Qf1aBB2Nvhrv3", nChar=122) returned -1 [0047.381] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile18.bmp" (normalized: "c:\\programdata\\microsoft\\user account pictures\\default pictures\\usertile18.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0047.382] FindNextFileW (in: hFindFile=0x535b60, lpFindFileData=0x2d8ede8 | out: lpFindFileData=0x2d8ede8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae359dff, ftCreationTime.dwHighDateTime=0x1ca040d, ftLastAccessTime.dwLowDateTime=0xae359dff, ftLastAccessTime.dwHighDateTime=0x1ca040d, ftLastWriteTime.dwLowDateTime=0xdcc8bbb3, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0xc038, dwReserved0=0x5306c8, dwReserved1=0x0, cFileName="usertile19.bmp", cAlternateFileName="")) returned 1 [0047.382] lstrcmpiW (lpString1="usertile19.bmp", lpString2="Windows") returned -1 [0047.382] lstrcmpiW (lpString1="usertile19.bmp", lpString2="$Recycle.bin") returned 1 [0047.383] lstrcmpiW (lpString1="usertile19.bmp", lpString2="System Volume Information") returned 1 [0047.383] lstrcmpiW (lpString1="usertile19.bmp", lpString2="Program Files") returned 1 [0047.383] lstrcmpiW (lpString1="usertile19.bmp", lpString2="Program Files (x86)") returned 1 [0047.383] wnsprintfW (in: pszDest=0x5306d0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile19.bmp") returned 82 [0047.383] StrStrIW (lpFirst="usertile19.bmp", lpSrch=".for") returned 0x0 [0047.383] lstrcmpW (lpString1="usertile19.bmp", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0047.383] lstrcmpW (lpString1="usertile19.bmp", lpString2="taridd") returned 1 [0047.383] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile19.bmp", lpStr2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\3pRMMVYZl7L6YCH05Qf1aBB2Nvhrv3", nChar=122) returned -1 [0047.383] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile19.bmp" (normalized: "c:\\programdata\\microsoft\\user account pictures\\default pictures\\usertile19.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0047.383] FindNextFileW (in: hFindFile=0x535b60, lpFindFileData=0x2d8ede8 | out: lpFindFileData=0x2d8ede8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae37ff5c, ftCreationTime.dwHighDateTime=0x1ca040d, ftLastAccessTime.dwLowDateTime=0xae37ff5c, ftLastAccessTime.dwHighDateTime=0x1ca040d, ftLastWriteTime.dwLowDateTime=0xdccb1d11, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0xc038, dwReserved0=0x5306c8, dwReserved1=0x0, cFileName="usertile20.bmp", cAlternateFileName="")) returned 1 [0047.383] lstrcmpiW (lpString1="usertile20.bmp", lpString2="Windows") returned -1 [0047.383] lstrcmpiW (lpString1="usertile20.bmp", lpString2="$Recycle.bin") returned 1 [0047.383] lstrcmpiW (lpString1="usertile20.bmp", lpString2="System Volume Information") returned 1 [0047.383] lstrcmpiW (lpString1="usertile20.bmp", lpString2="Program Files") returned 1 [0047.383] lstrcmpiW (lpString1="usertile20.bmp", lpString2="Program Files (x86)") returned 1 [0047.383] wnsprintfW (in: pszDest=0x5306d0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile20.bmp") returned 82 [0047.383] StrStrIW (lpFirst="usertile20.bmp", lpSrch=".for") returned 0x0 [0047.383] lstrcmpW (lpString1="usertile20.bmp", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0047.383] lstrcmpW (lpString1="usertile20.bmp", lpString2="taridd") returned 1 [0047.383] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile20.bmp", lpStr2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\3pRMMVYZl7L6YCH05Qf1aBB2Nvhrv3", nChar=122) returned -1 [0047.383] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile20.bmp" (normalized: "c:\\programdata\\microsoft\\user account pictures\\default pictures\\usertile20.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0047.383] FindNextFileW (in: hFindFile=0x535b60, lpFindFileData=0x2d8ede8 | out: lpFindFileData=0x2d8ede8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae3a60b9, ftCreationTime.dwHighDateTime=0x1ca040d, ftLastAccessTime.dwLowDateTime=0xae3a60b9, ftLastAccessTime.dwHighDateTime=0x1ca040d, ftLastWriteTime.dwLowDateTime=0xdd069f3f, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0xc038, dwReserved0=0x5306c8, dwReserved1=0x0, cFileName="usertile21.bmp", cAlternateFileName="")) returned 1 [0047.383] lstrcmpiW (lpString1="usertile21.bmp", lpString2="Windows") returned -1 [0047.383] lstrcmpiW (lpString1="usertile21.bmp", lpString2="$Recycle.bin") returned 1 [0047.383] lstrcmpiW (lpString1="usertile21.bmp", lpString2="System Volume Information") returned 1 [0047.383] lstrcmpiW (lpString1="usertile21.bmp", lpString2="Program Files") returned 1 [0047.383] lstrcmpiW (lpString1="usertile21.bmp", lpString2="Program Files (x86)") returned 1 [0047.383] wnsprintfW (in: pszDest=0x5306d0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile21.bmp") returned 82 [0047.383] StrStrIW (lpFirst="usertile21.bmp", lpSrch=".for") returned 0x0 [0047.383] lstrcmpW (lpString1="usertile21.bmp", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0047.384] lstrcmpW (lpString1="usertile21.bmp", lpString2="taridd") returned 1 [0047.384] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile21.bmp", lpStr2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\3pRMMVYZl7L6YCH05Qf1aBB2Nvhrv3", nChar=122) returned -1 [0047.384] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile21.bmp" (normalized: "c:\\programdata\\microsoft\\user account pictures\\default pictures\\usertile21.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0047.384] FindNextFileW (in: hFindFile=0x535b60, lpFindFileData=0x2d8ede8 | out: lpFindFileData=0x2d8ede8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae3a60b9, ftCreationTime.dwHighDateTime=0x1ca040d, ftLastAccessTime.dwLowDateTime=0xae3a60b9, ftLastAccessTime.dwHighDateTime=0x1ca040d, ftLastWriteTime.dwLowDateTime=0xdd09009d, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0xc038, dwReserved0=0x5306c8, dwReserved1=0x0, cFileName="usertile22.bmp", cAlternateFileName="")) returned 1 [0047.384] lstrcmpiW (lpString1="usertile22.bmp", lpString2="Windows") returned -1 [0047.384] lstrcmpiW (lpString1="usertile22.bmp", lpString2="$Recycle.bin") returned 1 [0047.384] lstrcmpiW (lpString1="usertile22.bmp", lpString2="System Volume Information") returned 1 [0047.384] lstrcmpiW (lpString1="usertile22.bmp", lpString2="Program Files") returned 1 [0047.384] lstrcmpiW (lpString1="usertile22.bmp", lpString2="Program Files (x86)") returned 1 [0047.384] wnsprintfW (in: pszDest=0x5306d0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile22.bmp") returned 82 [0047.384] StrStrIW (lpFirst="usertile22.bmp", lpSrch=".for") returned 0x0 [0047.384] lstrcmpW (lpString1="usertile22.bmp", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0047.384] lstrcmpW (lpString1="usertile22.bmp", lpString2="taridd") returned 1 [0047.384] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile22.bmp", lpStr2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\3pRMMVYZl7L6YCH05Qf1aBB2Nvhrv3", nChar=122) returned -1 [0047.384] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile22.bmp" (normalized: "c:\\programdata\\microsoft\\user account pictures\\default pictures\\usertile22.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0047.533] FindNextFileW (in: hFindFile=0x535b60, lpFindFileData=0x2d8ede8 | out: lpFindFileData=0x2d8ede8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae3cc216, ftCreationTime.dwHighDateTime=0x1ca040d, ftLastAccessTime.dwLowDateTime=0xae3cc216, ftLastAccessTime.dwHighDateTime=0x1ca040d, ftLastWriteTime.dwLowDateTime=0xdd0b61fb, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0xc038, dwReserved0=0x5306c8, dwReserved1=0x0, cFileName="usertile23.bmp", cAlternateFileName="")) returned 1 [0047.543] lstrcmpiW (lpString1="usertile23.bmp", lpString2="Windows") returned -1 [0047.543] lstrcmpiW (lpString1="usertile23.bmp", lpString2="$Recycle.bin") returned 1 [0047.544] lstrcmpiW (lpString1="usertile23.bmp", lpString2="System Volume Information") returned 1 [0047.545] lstrcmpiW (lpString1="usertile23.bmp", lpString2="Program Files") returned 1 [0047.546] lstrcmpiW (lpString1="usertile23.bmp", lpString2="Program Files (x86)") returned 1 [0047.547] wnsprintfW (in: pszDest=0x5306d0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile23.bmp") returned 82 [0047.547] StrStrIW (lpFirst="usertile23.bmp", lpSrch=".for") returned 0x0 [0047.556] lstrcmpW (lpString1="usertile23.bmp", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0047.557] lstrcmpW (lpString1="usertile23.bmp", lpString2="taridd") returned 1 [0047.558] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile23.bmp", lpStr2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\3pRMMVYZl7L6YCH05Qf1aBB2Nvhrv3", nChar=122) returned -1 [0047.559] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile23.bmp" (normalized: "c:\\programdata\\microsoft\\user account pictures\\default pictures\\usertile23.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0047.574] FindNextFileW (in: hFindFile=0x535b60, lpFindFileData=0x2d8ede8 | out: lpFindFileData=0x2d8ede8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae3f2373, ftCreationTime.dwHighDateTime=0x1ca040d, ftLastAccessTime.dwLowDateTime=0xae3f2373, ftLastAccessTime.dwHighDateTime=0x1ca040d, ftLastWriteTime.dwLowDateTime=0xdd232fa7, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0xc038, dwReserved0=0x5306c8, dwReserved1=0x0, cFileName="usertile24.bmp", cAlternateFileName="")) returned 1 [0047.575] lstrcmpiW (lpString1="usertile24.bmp", lpString2="Windows") returned -1 [0047.576] lstrcmpiW (lpString1="usertile24.bmp", lpString2="$Recycle.bin") returned 1 [0047.576] lstrcmpiW (lpString1="usertile24.bmp", lpString2="System Volume Information") returned 1 [0047.577] lstrcmpiW (lpString1="usertile24.bmp", lpString2="Program Files") returned 1 [0047.578] lstrcmpiW (lpString1="usertile24.bmp", lpString2="Program Files (x86)") returned 1 [0047.578] wnsprintfW (in: pszDest=0x5306d0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile24.bmp") returned 82 [0047.579] StrStrIW (lpFirst="usertile24.bmp", lpSrch=".for") returned 0x0 [0047.651] lstrcmpW (lpString1="usertile24.bmp", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0047.655] lstrcmpW (lpString1="usertile24.bmp", lpString2="taridd") returned 1 [0047.657] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile24.bmp", lpStr2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\3pRMMVYZl7L6YCH05Qf1aBB2Nvhrv3", nChar=122) returned -1 [0047.660] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile24.bmp" (normalized: "c:\\programdata\\microsoft\\user account pictures\\default pictures\\usertile24.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0047.668] FindNextFileW (in: hFindFile=0x535b60, lpFindFileData=0x2d8ede8 | out: lpFindFileData=0x2d8ede8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae3f2373, ftCreationTime.dwHighDateTime=0x1ca040d, ftLastAccessTime.dwLowDateTime=0xae3f2373, ftLastAccessTime.dwHighDateTime=0x1ca040d, ftLastWriteTime.dwLowDateTime=0xdd259105, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0xc038, dwReserved0=0x5306c8, dwReserved1=0x0, cFileName="usertile25.bmp", cAlternateFileName="")) returned 1 [0047.670] lstrcmpiW (lpString1="usertile25.bmp", lpString2="Windows") returned -1 [0047.670] lstrcmpiW (lpString1="usertile25.bmp", lpString2="$Recycle.bin") returned 1 [0047.671] lstrcmpiW (lpString1="usertile25.bmp", lpString2="System Volume Information") returned 1 [0047.671] lstrcmpiW (lpString1="usertile25.bmp", lpString2="Program Files") returned 1 [0047.672] lstrcmpiW (lpString1="usertile25.bmp", lpString2="Program Files (x86)") returned 1 [0047.673] wnsprintfW (in: pszDest=0x5306d0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile25.bmp") returned 82 [0047.674] StrStrIW (lpFirst="usertile25.bmp", lpSrch=".for") returned 0x0 [0047.675] lstrcmpW (lpString1="usertile25.bmp", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0047.676] lstrcmpW (lpString1="usertile25.bmp", lpString2="taridd") returned 1 [0047.676] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile25.bmp", lpStr2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\3pRMMVYZl7L6YCH05Qf1aBB2Nvhrv3", nChar=122) returned -1 [0047.677] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile25.bmp" (normalized: "c:\\programdata\\microsoft\\user account pictures\\default pictures\\usertile25.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0047.678] FindNextFileW (in: hFindFile=0x535b60, lpFindFileData=0x2d8ede8 | out: lpFindFileData=0x2d8ede8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae3f2373, ftCreationTime.dwHighDateTime=0x1ca040d, ftLastAccessTime.dwLowDateTime=0xae3f2373, ftLastAccessTime.dwHighDateTime=0x1ca040d, ftLastWriteTime.dwLowDateTime=0xdd27f263, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0xc038, dwReserved0=0x5306c8, dwReserved1=0x0, cFileName="usertile26.bmp", cAlternateFileName="")) returned 1 [0047.678] lstrcmpiW (lpString1="usertile26.bmp", lpString2="Windows") returned -1 [0047.678] lstrcmpiW (lpString1="usertile26.bmp", lpString2="$Recycle.bin") returned 1 [0047.678] lstrcmpiW (lpString1="usertile26.bmp", lpString2="System Volume Information") returned 1 [0047.678] lstrcmpiW (lpString1="usertile26.bmp", lpString2="Program Files") returned 1 [0047.678] lstrcmpiW (lpString1="usertile26.bmp", lpString2="Program Files (x86)") returned 1 [0047.678] wnsprintfW (in: pszDest=0x5306d0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile26.bmp") returned 82 [0047.678] StrStrIW (lpFirst="usertile26.bmp", lpSrch=".for") returned 0x0 [0047.678] lstrcmpW (lpString1="usertile26.bmp", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0047.678] lstrcmpW (lpString1="usertile26.bmp", lpString2="taridd") returned 1 [0047.678] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile26.bmp", lpStr2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\3pRMMVYZl7L6YCH05Qf1aBB2Nvhrv3", nChar=122) returned -1 [0047.678] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile26.bmp" (normalized: "c:\\programdata\\microsoft\\user account pictures\\default pictures\\usertile26.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0047.719] FindNextFileW (in: hFindFile=0x535b60, lpFindFileData=0x2d8ede8 | out: lpFindFileData=0x2d8ede8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae4184d0, ftCreationTime.dwHighDateTime=0x1ca040d, ftLastAccessTime.dwLowDateTime=0xae4184d0, ftLastAccessTime.dwHighDateTime=0x1ca040d, ftLastWriteTime.dwLowDateTime=0xdd2a53c1, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0xc038, dwReserved0=0x5306c8, dwReserved1=0x0, cFileName="usertile27.bmp", cAlternateFileName="")) returned 1 [0047.729] lstrcmpiW (lpString1="usertile27.bmp", lpString2="Windows") returned -1 [0047.734] lstrcmpiW (lpString1="usertile27.bmp", lpString2="$Recycle.bin") returned 1 [0048.070] lstrcmpiW (lpString1="usertile27.bmp", lpString2="System Volume Information") returned 1 [0048.073] lstrcmpiW (lpString1="usertile27.bmp", lpString2="Program Files") returned 1 [0048.073] lstrcmpiW (lpString1="usertile27.bmp", lpString2="Program Files (x86)") returned 1 [0048.073] wnsprintfW (in: pszDest=0x5306d0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile27.bmp") returned 82 [0048.073] StrStrIW (lpFirst="usertile27.bmp", lpSrch=".for") returned 0x0 [0048.073] lstrcmpW (lpString1="usertile27.bmp", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0048.073] lstrcmpW (lpString1="usertile27.bmp", lpString2="taridd") returned 1 [0048.073] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile27.bmp", lpStr2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\3pRMMVYZl7L6YCH05Qf1aBB2Nvhrv3", nChar=122) returned -1 [0048.074] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile27.bmp" (normalized: "c:\\programdata\\microsoft\\user account pictures\\default pictures\\usertile27.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0048.074] FindNextFileW (in: hFindFile=0x535b60, lpFindFileData=0x2d8ede8 | out: lpFindFileData=0x2d8ede8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae43e62d, ftCreationTime.dwHighDateTime=0x1ca040d, ftLastAccessTime.dwLowDateTime=0xae43e62d, ftLastAccessTime.dwHighDateTime=0x1ca040d, ftLastWriteTime.dwLowDateTime=0xdd3177db, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0xc038, dwReserved0=0x5306c8, dwReserved1=0x0, cFileName="usertile28.bmp", cAlternateFileName="")) returned 1 [0048.074] lstrcmpiW (lpString1="usertile28.bmp", lpString2="Windows") returned -1 [0048.074] lstrcmpiW (lpString1="usertile28.bmp", lpString2="$Recycle.bin") returned 1 [0048.074] lstrcmpiW (lpString1="usertile28.bmp", lpString2="System Volume Information") returned 1 [0048.074] lstrcmpiW (lpString1="usertile28.bmp", lpString2="Program Files") returned 1 [0048.074] lstrcmpiW (lpString1="usertile28.bmp", lpString2="Program Files (x86)") returned 1 [0048.074] wnsprintfW (in: pszDest=0x5306d0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile28.bmp") returned 82 [0048.074] StrStrIW (lpFirst="usertile28.bmp", lpSrch=".for") returned 0x0 [0048.074] lstrcmpW (lpString1="usertile28.bmp", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0048.074] lstrcmpW (lpString1="usertile28.bmp", lpString2="taridd") returned 1 [0048.074] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile28.bmp", lpStr2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\3pRMMVYZl7L6YCH05Qf1aBB2Nvhrv3", nChar=122) returned -1 [0048.074] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile28.bmp" (normalized: "c:\\programdata\\microsoft\\user account pictures\\default pictures\\usertile28.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0048.074] FindNextFileW (in: hFindFile=0x535b60, lpFindFileData=0x2d8ede8 | out: lpFindFileData=0x2d8ede8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae43e62d, ftCreationTime.dwHighDateTime=0x1ca040d, ftLastAccessTime.dwLowDateTime=0xae43e62d, ftLastAccessTime.dwHighDateTime=0x1ca040d, ftLastWriteTime.dwLowDateTime=0xdd33d939, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0xc038, dwReserved0=0x5306c8, dwReserved1=0x0, cFileName="usertile29.bmp", cAlternateFileName="")) returned 1 [0048.074] lstrcmpiW (lpString1="usertile29.bmp", lpString2="Windows") returned -1 [0048.074] lstrcmpiW (lpString1="usertile29.bmp", lpString2="$Recycle.bin") returned 1 [0048.074] lstrcmpiW (lpString1="usertile29.bmp", lpString2="System Volume Information") returned 1 [0048.074] lstrcmpiW (lpString1="usertile29.bmp", lpString2="Program Files") returned 1 [0048.074] lstrcmpiW (lpString1="usertile29.bmp", lpString2="Program Files (x86)") returned 1 [0048.074] wnsprintfW (in: pszDest=0x5306d0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile29.bmp") returned 82 [0048.074] StrStrIW (lpFirst="usertile29.bmp", lpSrch=".for") returned 0x0 [0048.074] lstrcmpW (lpString1="usertile29.bmp", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0048.074] lstrcmpW (lpString1="usertile29.bmp", lpString2="taridd") returned 1 [0048.074] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile29.bmp", lpStr2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\3pRMMVYZl7L6YCH05Qf1aBB2Nvhrv3", nChar=122) returned -1 [0048.074] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile29.bmp" (normalized: "c:\\programdata\\microsoft\\user account pictures\\default pictures\\usertile29.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0048.074] FindNextFileW (in: hFindFile=0x535b60, lpFindFileData=0x2d8ede8 | out: lpFindFileData=0x2d8ede8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae46478a, ftCreationTime.dwHighDateTime=0x1ca040d, ftLastAccessTime.dwLowDateTime=0xae46478a, ftLastAccessTime.dwHighDateTime=0x1ca040d, ftLastWriteTime.dwLowDateTime=0xdd3fc00f, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0xc038, dwReserved0=0x5306c8, dwReserved1=0x0, cFileName="usertile30.bmp", cAlternateFileName="")) returned 1 [0048.075] lstrcmpiW (lpString1="usertile30.bmp", lpString2="Windows") returned -1 [0048.075] lstrcmpiW (lpString1="usertile30.bmp", lpString2="$Recycle.bin") returned 1 [0048.075] lstrcmpiW (lpString1="usertile30.bmp", lpString2="System Volume Information") returned 1 [0048.075] lstrcmpiW (lpString1="usertile30.bmp", lpString2="Program Files") returned 1 [0048.075] lstrcmpiW (lpString1="usertile30.bmp", lpString2="Program Files (x86)") returned 1 [0048.075] wnsprintfW (in: pszDest=0x5306d0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile30.bmp") returned 82 [0048.075] StrStrIW (lpFirst="usertile30.bmp", lpSrch=".for") returned 0x0 [0048.075] lstrcmpW (lpString1="usertile30.bmp", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0048.075] lstrcmpW (lpString1="usertile30.bmp", lpString2="taridd") returned 1 [0048.075] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile30.bmp", lpStr2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\3pRMMVYZl7L6YCH05Qf1aBB2Nvhrv3", nChar=122) returned -1 [0048.075] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile30.bmp" (normalized: "c:\\programdata\\microsoft\\user account pictures\\default pictures\\usertile30.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0048.343] FindNextFileW (in: hFindFile=0x535b60, lpFindFileData=0x2d8ede8 | out: lpFindFileData=0x2d8ede8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae48a8e7, ftCreationTime.dwHighDateTime=0x1ca040d, ftLastAccessTime.dwLowDateTime=0xae48a8e7, ftLastAccessTime.dwHighDateTime=0x1ca040d, ftLastWriteTime.dwLowDateTime=0xdd3fc00f, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0xc038, dwReserved0=0x5306c8, dwReserved1=0x0, cFileName="usertile31.bmp", cAlternateFileName="")) returned 1 [0048.343] lstrcmpiW (lpString1="usertile31.bmp", lpString2="Windows") returned -1 [0048.343] lstrcmpiW (lpString1="usertile31.bmp", lpString2="$Recycle.bin") returned 1 [0048.343] lstrcmpiW (lpString1="usertile31.bmp", lpString2="System Volume Information") returned 1 [0048.343] lstrcmpiW (lpString1="usertile31.bmp", lpString2="Program Files") returned 1 [0048.343] lstrcmpiW (lpString1="usertile31.bmp", lpString2="Program Files (x86)") returned 1 [0048.344] wnsprintfW (in: pszDest=0x5306d0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile31.bmp") returned 82 [0048.344] StrStrIW (lpFirst="usertile31.bmp", lpSrch=".for") returned 0x0 [0048.344] lstrcmpW (lpString1="usertile31.bmp", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0048.344] lstrcmpW (lpString1="usertile31.bmp", lpString2="taridd") returned 1 [0048.344] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile31.bmp", lpStr2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\3pRMMVYZl7L6YCH05Qf1aBB2Nvhrv3", nChar=122) returned -1 [0048.344] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile31.bmp" (normalized: "c:\\programdata\\microsoft\\user account pictures\\default pictures\\usertile31.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0048.344] FindNextFileW (in: hFindFile=0x535b60, lpFindFileData=0x2d8ede8 | out: lpFindFileData=0x2d8ede8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae48a8e7, ftCreationTime.dwHighDateTime=0x1ca040d, ftLastAccessTime.dwLowDateTime=0xae48a8e7, ftLastAccessTime.dwHighDateTime=0x1ca040d, ftLastWriteTime.dwLowDateTime=0xdd42216d, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0xc038, dwReserved0=0x5306c8, dwReserved1=0x0, cFileName="usertile32.bmp", cAlternateFileName="")) returned 1 [0048.344] lstrcmpiW (lpString1="usertile32.bmp", lpString2="Windows") returned -1 [0048.344] lstrcmpiW (lpString1="usertile32.bmp", lpString2="$Recycle.bin") returned 1 [0048.344] lstrcmpiW (lpString1="usertile32.bmp", lpString2="System Volume Information") returned 1 [0048.344] lstrcmpiW (lpString1="usertile32.bmp", lpString2="Program Files") returned 1 [0048.344] lstrcmpiW (lpString1="usertile32.bmp", lpString2="Program Files (x86)") returned 1 [0048.344] wnsprintfW (in: pszDest=0x5306d0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile32.bmp") returned 82 [0048.344] StrStrIW (lpFirst="usertile32.bmp", lpSrch=".for") returned 0x0 [0048.344] lstrcmpW (lpString1="usertile32.bmp", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0048.344] lstrcmpW (lpString1="usertile32.bmp", lpString2="taridd") returned 1 [0048.344] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile32.bmp", lpStr2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\3pRMMVYZl7L6YCH05Qf1aBB2Nvhrv3", nChar=122) returned -1 [0048.344] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile32.bmp" (normalized: "c:\\programdata\\microsoft\\user account pictures\\default pictures\\usertile32.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0048.344] FindNextFileW (in: hFindFile=0x535b60, lpFindFileData=0x2d8ede8 | out: lpFindFileData=0x2d8ede8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae4b0a44, ftCreationTime.dwHighDateTime=0x1ca040d, ftLastAccessTime.dwLowDateTime=0xae4b0a44, ftLastAccessTime.dwHighDateTime=0x1ca040d, ftLastWriteTime.dwLowDateTime=0xdd4482cb, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0xc038, dwReserved0=0x5306c8, dwReserved1=0x0, cFileName="usertile33.bmp", cAlternateFileName="")) returned 1 [0048.344] lstrcmpiW (lpString1="usertile33.bmp", lpString2="Windows") returned -1 [0048.344] lstrcmpiW (lpString1="usertile33.bmp", lpString2="$Recycle.bin") returned 1 [0048.344] lstrcmpiW (lpString1="usertile33.bmp", lpString2="System Volume Information") returned 1 [0048.344] lstrcmpiW (lpString1="usertile33.bmp", lpString2="Program Files") returned 1 [0048.345] lstrcmpiW (lpString1="usertile33.bmp", lpString2="Program Files (x86)") returned 1 [0048.345] wnsprintfW (in: pszDest=0x5306d0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile33.bmp") returned 82 [0048.345] StrStrIW (lpFirst="usertile33.bmp", lpSrch=".for") returned 0x0 [0048.345] lstrcmpW (lpString1="usertile33.bmp", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0048.345] lstrcmpW (lpString1="usertile33.bmp", lpString2="taridd") returned 1 [0048.345] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile33.bmp", lpStr2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\3pRMMVYZl7L6YCH05Qf1aBB2Nvhrv3", nChar=122) returned -1 [0048.345] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile33.bmp" (normalized: "c:\\programdata\\microsoft\\user account pictures\\default pictures\\usertile33.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0048.345] FindNextFileW (in: hFindFile=0x535b60, lpFindFileData=0x2d8ede8 | out: lpFindFileData=0x2d8ede8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae4fccfe, ftCreationTime.dwHighDateTime=0x1ca040d, ftLastAccessTime.dwLowDateTime=0xae4fccfe, ftLastAccessTime.dwHighDateTime=0x1ca040d, ftLastWriteTime.dwLowDateTime=0xdd9c9561, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0xc038, dwReserved0=0x5306c8, dwReserved1=0x0, cFileName="usertile34.bmp", cAlternateFileName="")) returned 1 [0048.345] lstrcmpiW (lpString1="usertile34.bmp", lpString2="Windows") returned -1 [0048.345] lstrcmpiW (lpString1="usertile34.bmp", lpString2="$Recycle.bin") returned 1 [0048.345] lstrcmpiW (lpString1="usertile34.bmp", lpString2="System Volume Information") returned 1 [0048.345] lstrcmpiW (lpString1="usertile34.bmp", lpString2="Program Files") returned 1 [0048.345] lstrcmpiW (lpString1="usertile34.bmp", lpString2="Program Files (x86)") returned 1 [0048.345] wnsprintfW (in: pszDest=0x5306d0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile34.bmp") returned 82 [0048.345] StrStrIW (lpFirst="usertile34.bmp", lpSrch=".for") returned 0x0 [0048.345] lstrcmpW (lpString1="usertile34.bmp", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0048.345] lstrcmpW (lpString1="usertile34.bmp", lpString2="taridd") returned 1 [0048.345] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile34.bmp", lpStr2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\3pRMMVYZl7L6YCH05Qf1aBB2Nvhrv3", nChar=122) returned -1 [0048.345] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile34.bmp" (normalized: "c:\\programdata\\microsoft\\user account pictures\\default pictures\\usertile34.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0048.353] FindNextFileW (in: hFindFile=0x535b60, lpFindFileData=0x2d8ede8 | out: lpFindFileData=0x2d8ede8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae4fccfe, ftCreationTime.dwHighDateTime=0x1ca040d, ftLastAccessTime.dwLowDateTime=0xae4fccfe, ftLastAccessTime.dwHighDateTime=0x1ca040d, ftLastWriteTime.dwLowDateTime=0xdd9ef6bf, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0xc038, dwReserved0=0x5306c8, dwReserved1=0x0, cFileName="usertile35.bmp", cAlternateFileName="")) returned 1 [0048.353] lstrcmpiW (lpString1="usertile35.bmp", lpString2="Windows") returned -1 [0048.353] lstrcmpiW (lpString1="usertile35.bmp", lpString2="$Recycle.bin") returned 1 [0048.353] lstrcmpiW (lpString1="usertile35.bmp", lpString2="System Volume Information") returned 1 [0048.353] lstrcmpiW (lpString1="usertile35.bmp", lpString2="Program Files") returned 1 [0048.353] lstrcmpiW (lpString1="usertile35.bmp", lpString2="Program Files (x86)") returned 1 [0048.353] wnsprintfW (in: pszDest=0x5306d0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile35.bmp") returned 82 [0048.353] StrStrIW (lpFirst="usertile35.bmp", lpSrch=".for") returned 0x0 [0048.353] lstrcmpW (lpString1="usertile35.bmp", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0048.353] lstrcmpW (lpString1="usertile35.bmp", lpString2="taridd") returned 1 [0048.353] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile35.bmp", lpStr2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\3pRMMVYZl7L6YCH05Qf1aBB2Nvhrv3", nChar=122) returned -1 [0048.353] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile35.bmp" (normalized: "c:\\programdata\\microsoft\\user account pictures\\default pictures\\usertile35.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0048.354] FindNextFileW (in: hFindFile=0x535b60, lpFindFileData=0x2d8ede8 | out: lpFindFileData=0x2d8ede8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae548fb8, ftCreationTime.dwHighDateTime=0x1ca040d, ftLastAccessTime.dwLowDateTime=0xae548fb8, ftLastAccessTime.dwHighDateTime=0x1ca040d, ftLastWriteTime.dwLowDateTime=0xdd9ef6bf, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0xc038, dwReserved0=0x5306c8, dwReserved1=0x0, cFileName="usertile36.bmp", cAlternateFileName="")) returned 1 [0048.354] lstrcmpiW (lpString1="usertile36.bmp", lpString2="Windows") returned -1 [0048.354] lstrcmpiW (lpString1="usertile36.bmp", lpString2="$Recycle.bin") returned 1 [0048.354] lstrcmpiW (lpString1="usertile36.bmp", lpString2="System Volume Information") returned 1 [0048.354] lstrcmpiW (lpString1="usertile36.bmp", lpString2="Program Files") returned 1 [0048.354] lstrcmpiW (lpString1="usertile36.bmp", lpString2="Program Files (x86)") returned 1 [0048.354] wnsprintfW (in: pszDest=0x5306d0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile36.bmp") returned 82 [0048.354] StrStrIW (lpFirst="usertile36.bmp", lpSrch=".for") returned 0x0 [0048.354] lstrcmpW (lpString1="usertile36.bmp", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0048.354] lstrcmpW (lpString1="usertile36.bmp", lpString2="taridd") returned 1 [0048.354] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile36.bmp", lpStr2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\3pRMMVYZl7L6YCH05Qf1aBB2Nvhrv3", nChar=122) returned -1 [0048.354] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile36.bmp" (normalized: "c:\\programdata\\microsoft\\user account pictures\\default pictures\\usertile36.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0048.354] FindNextFileW (in: hFindFile=0x535b60, lpFindFileData=0x2d8ede8 | out: lpFindFileData=0x2d8ede8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae595272, ftCreationTime.dwHighDateTime=0x1ca040d, ftLastAccessTime.dwLowDateTime=0xae595272, ftLastAccessTime.dwHighDateTime=0x1ca040d, ftLastWriteTime.dwLowDateTime=0xddb6c46b, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0xc038, dwReserved0=0x5306c8, dwReserved1=0x0, cFileName="usertile37.bmp", cAlternateFileName="")) returned 1 [0048.354] lstrcmpiW (lpString1="usertile37.bmp", lpString2="Windows") returned -1 [0048.354] lstrcmpiW (lpString1="usertile37.bmp", lpString2="$Recycle.bin") returned 1 [0048.354] lstrcmpiW (lpString1="usertile37.bmp", lpString2="System Volume Information") returned 1 [0048.354] lstrcmpiW (lpString1="usertile37.bmp", lpString2="Program Files") returned 1 [0048.354] lstrcmpiW (lpString1="usertile37.bmp", lpString2="Program Files (x86)") returned 1 [0048.354] wnsprintfW (in: pszDest=0x5306d0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile37.bmp") returned 82 [0048.354] StrStrIW (lpFirst="usertile37.bmp", lpSrch=".for") returned 0x0 [0048.354] lstrcmpW (lpString1="usertile37.bmp", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0048.354] lstrcmpW (lpString1="usertile37.bmp", lpString2="taridd") returned 1 [0048.354] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile37.bmp", lpStr2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\3pRMMVYZl7L6YCH05Qf1aBB2Nvhrv3", nChar=122) returned -1 [0048.354] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile37.bmp" (normalized: "c:\\programdata\\microsoft\\user account pictures\\default pictures\\usertile37.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0048.354] FindNextFileW (in: hFindFile=0x535b60, lpFindFileData=0x2d8ede8 | out: lpFindFileData=0x2d8ede8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae5bb3cf, ftCreationTime.dwHighDateTime=0x1ca040d, ftLastAccessTime.dwLowDateTime=0xae5bb3cf, ftLastAccessTime.dwHighDateTime=0x1ca040d, ftLastWriteTime.dwLowDateTime=0xddb6c46b, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0xc038, dwReserved0=0x5306c8, dwReserved1=0x0, cFileName="usertile38.bmp", cAlternateFileName="")) returned 1 [0048.354] lstrcmpiW (lpString1="usertile38.bmp", lpString2="Windows") returned -1 [0048.354] lstrcmpiW (lpString1="usertile38.bmp", lpString2="$Recycle.bin") returned 1 [0048.354] lstrcmpiW (lpString1="usertile38.bmp", lpString2="System Volume Information") returned 1 [0048.354] lstrcmpiW (lpString1="usertile38.bmp", lpString2="Program Files") returned 1 [0048.354] lstrcmpiW (lpString1="usertile38.bmp", lpString2="Program Files (x86)") returned 1 [0048.354] wnsprintfW (in: pszDest=0x5306d0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile38.bmp") returned 82 [0048.354] StrStrIW (lpFirst="usertile38.bmp", lpSrch=".for") returned 0x0 [0048.355] lstrcmpW (lpString1="usertile38.bmp", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0048.355] lstrcmpW (lpString1="usertile38.bmp", lpString2="taridd") returned 1 [0048.355] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile38.bmp", lpStr2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\3pRMMVYZl7L6YCH05Qf1aBB2Nvhrv3", nChar=122) returned -1 [0048.355] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile38.bmp" (normalized: "c:\\programdata\\microsoft\\user account pictures\\default pictures\\usertile38.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0048.379] FindNextFileW (in: hFindFile=0x535b60, lpFindFileData=0x2d8ede8 | out: lpFindFileData=0x2d8ede8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae5e152c, ftCreationTime.dwHighDateTime=0x1ca040d, ftLastAccessTime.dwLowDateTime=0xae5e152c, ftLastAccessTime.dwHighDateTime=0x1ca040d, ftLastWriteTime.dwLowDateTime=0xddc2ab41, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0xc038, dwReserved0=0x5306c8, dwReserved1=0x0, cFileName="usertile39.bmp", cAlternateFileName="")) returned 1 [0048.379] lstrcmpiW (lpString1="usertile39.bmp", lpString2="Windows") returned -1 [0048.379] lstrcmpiW (lpString1="usertile39.bmp", lpString2="$Recycle.bin") returned 1 [0048.379] lstrcmpiW (lpString1="usertile39.bmp", lpString2="System Volume Information") returned 1 [0048.379] lstrcmpiW (lpString1="usertile39.bmp", lpString2="Program Files") returned 1 [0048.379] lstrcmpiW (lpString1="usertile39.bmp", lpString2="Program Files (x86)") returned 1 [0048.379] wnsprintfW (in: pszDest=0x5306d0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile39.bmp") returned 82 [0048.379] StrStrIW (lpFirst="usertile39.bmp", lpSrch=".for") returned 0x0 [0048.379] lstrcmpW (lpString1="usertile39.bmp", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0048.379] lstrcmpW (lpString1="usertile39.bmp", lpString2="taridd") returned 1 [0048.379] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile39.bmp", lpStr2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\3pRMMVYZl7L6YCH05Qf1aBB2Nvhrv3", nChar=122) returned -1 [0048.379] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile39.bmp" (normalized: "c:\\programdata\\microsoft\\user account pictures\\default pictures\\usertile39.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0048.379] FindNextFileW (in: hFindFile=0x535b60, lpFindFileData=0x2d8ede8 | out: lpFindFileData=0x2d8ede8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae607689, ftCreationTime.dwHighDateTime=0x1ca040d, ftLastAccessTime.dwLowDateTime=0xae607689, ftLastAccessTime.dwHighDateTime=0x1ca040d, ftLastWriteTime.dwLowDateTime=0xddc50c9f, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0xc038, dwReserved0=0x5306c8, dwReserved1=0x0, cFileName="usertile40.bmp", cAlternateFileName="")) returned 1 [0048.379] lstrcmpiW (lpString1="usertile40.bmp", lpString2="Windows") returned -1 [0048.379] lstrcmpiW (lpString1="usertile40.bmp", lpString2="$Recycle.bin") returned 1 [0048.380] lstrcmpiW (lpString1="usertile40.bmp", lpString2="System Volume Information") returned 1 [0048.380] lstrcmpiW (lpString1="usertile40.bmp", lpString2="Program Files") returned 1 [0048.380] lstrcmpiW (lpString1="usertile40.bmp", lpString2="Program Files (x86)") returned 1 [0048.380] wnsprintfW (in: pszDest=0x5306d0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile40.bmp") returned 82 [0048.380] StrStrIW (lpFirst="usertile40.bmp", lpSrch=".for") returned 0x0 [0048.380] lstrcmpW (lpString1="usertile40.bmp", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0048.380] lstrcmpW (lpString1="usertile40.bmp", lpString2="taridd") returned 1 [0048.380] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile40.bmp", lpStr2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\3pRMMVYZl7L6YCH05Qf1aBB2Nvhrv3", nChar=122) returned -1 [0048.380] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile40.bmp" (normalized: "c:\\programdata\\microsoft\\user account pictures\\default pictures\\usertile40.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0048.380] FindNextFileW (in: hFindFile=0x535b60, lpFindFileData=0x2d8ede8 | out: lpFindFileData=0x2d8ede8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae62d7e6, ftCreationTime.dwHighDateTime=0x1ca040d, ftLastAccessTime.dwLowDateTime=0xae62d7e6, ftLastAccessTime.dwHighDateTime=0x1ca040d, ftLastWriteTime.dwLowDateTime=0xddcc30b9, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0xc038, dwReserved0=0x5306c8, dwReserved1=0x0, cFileName="usertile41.bmp", cAlternateFileName="")) returned 1 [0048.380] lstrcmpiW (lpString1="usertile41.bmp", lpString2="Windows") returned -1 [0048.380] lstrcmpiW (lpString1="usertile41.bmp", lpString2="$Recycle.bin") returned 1 [0048.380] lstrcmpiW (lpString1="usertile41.bmp", lpString2="System Volume Information") returned 1 [0048.380] lstrcmpiW (lpString1="usertile41.bmp", lpString2="Program Files") returned 1 [0048.380] lstrcmpiW (lpString1="usertile41.bmp", lpString2="Program Files (x86)") returned 1 [0048.380] wnsprintfW (in: pszDest=0x5306d0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile41.bmp") returned 82 [0048.380] StrStrIW (lpFirst="usertile41.bmp", lpSrch=".for") returned 0x0 [0048.380] lstrcmpW (lpString1="usertile41.bmp", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0048.380] lstrcmpW (lpString1="usertile41.bmp", lpString2="taridd") returned 1 [0048.380] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile41.bmp", lpStr2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\3pRMMVYZl7L6YCH05Qf1aBB2Nvhrv3", nChar=122) returned -1 [0048.380] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile41.bmp" (normalized: "c:\\programdata\\microsoft\\user account pictures\\default pictures\\usertile41.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0048.380] FindNextFileW (in: hFindFile=0x535b60, lpFindFileData=0x2d8ede8 | out: lpFindFileData=0x2d8ede8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae653943, ftCreationTime.dwHighDateTime=0x1ca040d, ftLastAccessTime.dwLowDateTime=0xae653943, ftLastAccessTime.dwHighDateTime=0x1ca040d, ftLastWriteTime.dwLowDateTime=0xddce9217, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0xc038, dwReserved0=0x5306c8, dwReserved1=0x0, cFileName="usertile42.bmp", cAlternateFileName="")) returned 1 [0048.380] lstrcmpiW (lpString1="usertile42.bmp", lpString2="Windows") returned -1 [0048.380] lstrcmpiW (lpString1="usertile42.bmp", lpString2="$Recycle.bin") returned 1 [0048.380] lstrcmpiW (lpString1="usertile42.bmp", lpString2="System Volume Information") returned 1 [0048.380] lstrcmpiW (lpString1="usertile42.bmp", lpString2="Program Files") returned 1 [0048.380] lstrcmpiW (lpString1="usertile42.bmp", lpString2="Program Files (x86)") returned 1 [0048.380] wnsprintfW (in: pszDest=0x5306d0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile42.bmp") returned 82 [0048.380] StrStrIW (lpFirst="usertile42.bmp", lpSrch=".for") returned 0x0 [0048.380] lstrcmpW (lpString1="usertile42.bmp", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0048.381] lstrcmpW (lpString1="usertile42.bmp", lpString2="taridd") returned 1 [0048.381] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile42.bmp", lpStr2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\3pRMMVYZl7L6YCH05Qf1aBB2Nvhrv3", nChar=122) returned -1 [0048.381] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile42.bmp" (normalized: "c:\\programdata\\microsoft\\user account pictures\\default pictures\\usertile42.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0048.381] FindNextFileW (in: hFindFile=0x535b60, lpFindFileData=0x2d8ede8 | out: lpFindFileData=0x2d8ede8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae653943, ftCreationTime.dwHighDateTime=0x1ca040d, ftLastAccessTime.dwLowDateTime=0xae653943, ftLastAccessTime.dwHighDateTime=0x1ca040d, ftLastWriteTime.dwLowDateTime=0xddd0f375, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0xc038, dwReserved0=0x5306c8, dwReserved1=0x0, cFileName="usertile43.bmp", cAlternateFileName="")) returned 1 [0048.381] lstrcmpiW (lpString1="usertile43.bmp", lpString2="Windows") returned -1 [0048.381] lstrcmpiW (lpString1="usertile43.bmp", lpString2="$Recycle.bin") returned 1 [0048.381] lstrcmpiW (lpString1="usertile43.bmp", lpString2="System Volume Information") returned 1 [0048.381] lstrcmpiW (lpString1="usertile43.bmp", lpString2="Program Files") returned 1 [0048.381] lstrcmpiW (lpString1="usertile43.bmp", lpString2="Program Files (x86)") returned 1 [0048.381] wnsprintfW (in: pszDest=0x5306d0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile43.bmp") returned 82 [0048.381] StrStrIW (lpFirst="usertile43.bmp", lpSrch=".for") returned 0x0 [0048.381] lstrcmpW (lpString1="usertile43.bmp", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0048.381] lstrcmpW (lpString1="usertile43.bmp", lpString2="taridd") returned 1 [0048.381] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile43.bmp", lpStr2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\3pRMMVYZl7L6YCH05Qf1aBB2Nvhrv3", nChar=122) returned -1 [0048.381] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile43.bmp" (normalized: "c:\\programdata\\microsoft\\user account pictures\\default pictures\\usertile43.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0048.381] FindNextFileW (in: hFindFile=0x535b60, lpFindFileData=0x2d8ede8 | out: lpFindFileData=0x2d8ede8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae679aa0, ftCreationTime.dwHighDateTime=0x1ca040d, ftLastAccessTime.dwLowDateTime=0xae679aa0, ftLastAccessTime.dwHighDateTime=0x1ca040d, ftLastWriteTime.dwLowDateTime=0xddd354d3, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0xc038, dwReserved0=0x5306c8, dwReserved1=0x0, cFileName="usertile44.bmp", cAlternateFileName="")) returned 1 [0048.381] lstrcmpiW (lpString1="usertile44.bmp", lpString2="Windows") returned -1 [0048.381] lstrcmpiW (lpString1="usertile44.bmp", lpString2="$Recycle.bin") returned 1 [0048.381] lstrcmpiW (lpString1="usertile44.bmp", lpString2="System Volume Information") returned 1 [0048.381] lstrcmpiW (lpString1="usertile44.bmp", lpString2="Program Files") returned 1 [0048.381] lstrcmpiW (lpString1="usertile44.bmp", lpString2="Program Files (x86)") returned 1 [0048.381] wnsprintfW (in: pszDest=0x5306d0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile44.bmp") returned 82 [0048.381] StrStrIW (lpFirst="usertile44.bmp", lpSrch=".for") returned 0x0 [0048.381] lstrcmpW (lpString1="usertile44.bmp", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0048.381] lstrcmpW (lpString1="usertile44.bmp", lpString2="taridd") returned 1 [0048.381] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile44.bmp", lpStr2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\3pRMMVYZl7L6YCH05Qf1aBB2Nvhrv3", nChar=122) returned -1 [0048.381] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile44.bmp" (normalized: "c:\\programdata\\microsoft\\user account pictures\\default pictures\\usertile44.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0048.381] FindNextFileW (in: hFindFile=0x535b60, lpFindFileData=0x2d8ede8 | out: lpFindFileData=0x2d8ede8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae679aa0, ftCreationTime.dwHighDateTime=0x1ca040d, ftLastAccessTime.dwLowDateTime=0xae679aa0, ftLastAccessTime.dwHighDateTime=0x1ca040d, ftLastWriteTime.dwLowDateTime=0xddd354d3, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0xc038, dwReserved0=0x5306c8, dwReserved1=0x0, cFileName="usertile44.bmp", cAlternateFileName="")) returned 0 [0048.381] FindClose (in: hFindFile=0x535b60 | out: hFindFile=0x535b60) returned 1 [0048.382] wnsprintfW (in: pszDest=0x5306d0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 99 [0048.382] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\microsoft\\user account pictures\\default pictures\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x208 [0048.610] WriteFile (in: hFile=0x208, lpBuffer=0x186440*, nNumberOfBytesToWrite=0x2b0, lpNumberOfBytesWritten=0x2d8edb4, lpOverlapped=0x0 | out: lpBuffer=0x186440*, lpNumberOfBytesWritten=0x2d8edb4*=0x2b0, lpOverlapped=0x0) returned 1 [0048.611] CloseHandle (hObject=0x208) returned 1 [0048.611] GetProcessHeap () returned 0x4e0000 [0048.611] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x5306d0 | out: hHeap=0x4e0000) returned 1 [0048.611] FindNextFileW (in: hFindFile=0x535b20, lpFindFileData=0x2d8f070 | out: lpFindFileData=0x2d8f070*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80340916, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x7bed1018, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x7bed1018, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0xc038, dwReserved0=0x0, dwReserved1=0x0, cFileName="guest.bmp", cAlternateFileName="")) returned 1 [0048.611] lstrcmpiW (lpString1="guest.bmp", lpString2="Windows") returned -1 [0048.611] lstrcmpiW (lpString1="guest.bmp", lpString2="$Recycle.bin") returned 1 [0048.611] lstrcmpiW (lpString1="guest.bmp", lpString2="System Volume Information") returned -1 [0048.611] lstrcmpiW (lpString1="guest.bmp", lpString2="Program Files") returned -1 [0048.611] lstrcmpiW (lpString1="guest.bmp", lpString2="Program Files (x86)") returned -1 [0048.611] wnsprintfW (in: pszDest=0x542af8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\guest.bmp") returned 60 [0048.611] StrStrIW (lpFirst="guest.bmp", lpSrch=".for") returned 0x0 [0048.611] lstrcmpW (lpString1="guest.bmp", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0048.611] lstrcmpW (lpString1="guest.bmp", lpString2="taridd") returned -1 [0048.611] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\guest.bmp", lpStr2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\3pRMMVYZl7L6YCH05Qf1aBB2Nvhrv3", nChar=122) returned -1 [0048.611] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\guest.bmp" (normalized: "c:\\programdata\\microsoft\\user account pictures\\guest.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x208 [0048.612] GetTickCount () returned 0x114697d [0048.612] GetTickCount () returned 0x114697d [0048.612] GetTickCount () returned 0x114697d [0048.612] GetTickCount () returned 0x114697d [0048.612] CryptEncrypt (in: hKey=0x4ff5a8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d8ef80*, pdwDataLen=0x2d8f030*=0x2c, dwBufLen=0x80 | out: pbData=0x2d8ef80*, pdwDataLen=0x2d8f030*=0x80) returned 1 [0048.612] GetProcessHeap () returned 0x4e0000 [0048.612] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x2800) returned 0x5064d8 [0048.612] ReadFile (in: hFile=0x208, lpBuffer=0x5064d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x5064d8*, lpNumberOfBytesRead=0x2d8f034*=0x2800, lpOverlapped=0x0) returned 1 [0048.616] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0048.616] WriteFile (in: hFile=0x208, lpBuffer=0x5064d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x5064d8*, lpNumberOfBytesWritten=0x2d8f034*=0x2800, lpOverlapped=0x0) returned 1 [0048.616] GetProcessHeap () returned 0x4e0000 [0048.616] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x5064d8 | out: hHeap=0x4e0000) returned 1 [0048.616] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0048.616] WriteFile (in: hFile=0x208, lpBuffer=0x4ffe10*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x4ffe10*, lpNumberOfBytesWritten=0x2d8f034*=0x300, lpOverlapped=0x0) returned 1 [0048.617] WriteFile (in: hFile=0x208, lpBuffer=0x2d8ef80*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x2d8ef80*, lpNumberOfBytesWritten=0x2d8f034*=0x80, lpOverlapped=0x0) returned 1 [0048.617] WriteFile (in: hFile=0x208, lpBuffer=0x186230*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x186230*, lpNumberOfBytesWritten=0x2d8f034*=0x4, lpOverlapped=0x0) returned 1 [0048.617] CloseHandle (hObject=0x208) returned 1 [0048.617] GetProcessHeap () returned 0x4e0000 [0048.617] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x400) returned 0x5306d0 [0048.617] wnsprintfW (in: pszDest=0x5306d0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\guest.bmp_forv_{KNUJ5K}.for") returned 78 [0048.617] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\guest.bmp" (normalized: "c:\\programdata\\microsoft\\user account pictures\\guest.bmp"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\guest.bmp_forv_{KNUJ5K}.for" (normalized: "c:\\programdata\\microsoft\\user account pictures\\guest.bmp_forv_{knuj5k}.for")) returned 1 [0048.617] GetProcessHeap () returned 0x4e0000 [0048.617] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x5306d0 | out: hHeap=0x4e0000) returned 1 [0048.617] FindNextFileW (in: hFindFile=0x535b20, lpFindFileData=0x2d8f070 | out: lpFindFileData=0x2d8f070*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80340916, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x7bed1018, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x7bed1018, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0xc038, dwReserved0=0x0, dwReserved1=0x0, cFileName="user.bmp", cAlternateFileName="")) returned 1 [0048.617] lstrcmpiW (lpString1="user.bmp", lpString2="Windows") returned -1 [0048.617] lstrcmpiW (lpString1="user.bmp", lpString2="$Recycle.bin") returned 1 [0048.618] lstrcmpiW (lpString1="user.bmp", lpString2="System Volume Information") returned 1 [0048.618] lstrcmpiW (lpString1="user.bmp", lpString2="Program Files") returned 1 [0048.618] lstrcmpiW (lpString1="user.bmp", lpString2="Program Files (x86)") returned 1 [0048.618] wnsprintfW (in: pszDest=0x542af8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\user.bmp") returned 59 [0048.618] StrStrIW (lpFirst="user.bmp", lpSrch=".for") returned 0x0 [0048.618] lstrcmpW (lpString1="user.bmp", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0048.618] lstrcmpW (lpString1="user.bmp", lpString2="taridd") returned 1 [0048.618] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\user.bmp", lpStr2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\3pRMMVYZl7L6YCH05Qf1aBB2Nvhrv3", nChar=122) returned -1 [0048.618] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\user.bmp" (normalized: "c:\\programdata\\microsoft\\user account pictures\\user.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x208 [0048.618] GetTickCount () returned 0x114697d [0048.618] GetTickCount () returned 0x114697d [0048.618] GetTickCount () returned 0x114697d [0048.618] GetTickCount () returned 0x114697d [0048.618] CryptEncrypt (in: hKey=0x4ff5a8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d8ef80*, pdwDataLen=0x2d8f030*=0x2c, dwBufLen=0x80 | out: pbData=0x2d8ef80*, pdwDataLen=0x2d8f030*=0x80) returned 1 [0048.618] GetProcessHeap () returned 0x4e0000 [0048.618] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x2800) returned 0x5064d8 [0048.618] ReadFile (in: hFile=0x208, lpBuffer=0x5064d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x5064d8*, lpNumberOfBytesRead=0x2d8f034*=0x2800, lpOverlapped=0x0) returned 1 [0048.619] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0048.619] WriteFile (in: hFile=0x208, lpBuffer=0x5064d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x5064d8*, lpNumberOfBytesWritten=0x2d8f034*=0x2800, lpOverlapped=0x0) returned 1 [0048.619] GetProcessHeap () returned 0x4e0000 [0048.619] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x5064d8 | out: hHeap=0x4e0000) returned 1 [0048.619] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0048.619] WriteFile (in: hFile=0x208, lpBuffer=0x4ffe10*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x4ffe10*, lpNumberOfBytesWritten=0x2d8f034*=0x300, lpOverlapped=0x0) returned 1 [0048.619] WriteFile (in: hFile=0x208, lpBuffer=0x2d8ef80*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x2d8ef80*, lpNumberOfBytesWritten=0x2d8f034*=0x80, lpOverlapped=0x0) returned 1 [0048.619] WriteFile (in: hFile=0x208, lpBuffer=0x186230*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2d8f034, lpOverlapped=0x0 | out: lpBuffer=0x186230*, lpNumberOfBytesWritten=0x2d8f034*=0x4, lpOverlapped=0x0) returned 1 [0048.619] CloseHandle (hObject=0x208) returned 1 [0048.619] GetProcessHeap () returned 0x4e0000 [0048.620] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x400) returned 0x5306d0 [0048.620] wnsprintfW (in: pszDest=0x5306d0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\user.bmp_forv_{KNUJ5K}.for") returned 77 [0048.620] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\user.bmp" (normalized: "c:\\programdata\\microsoft\\user account pictures\\user.bmp"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\user.bmp_forv_{KNUJ5K}.for" (normalized: "c:\\programdata\\microsoft\\user account pictures\\user.bmp_forv_{knuj5k}.for")) returned 1 [0048.620] GetProcessHeap () returned 0x4e0000 [0048.620] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x5306d0 | out: hHeap=0x4e0000) returned 1 [0048.620] FindNextFileW (in: hFindFile=0x535b20, lpFindFileData=0x2d8f070 | out: lpFindFileData=0x2d8f070*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80340916, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x7bed1018, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x7bed1018, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0xc038, dwReserved0=0x0, dwReserved1=0x0, cFileName="user.bmp", cAlternateFileName="")) returned 0 [0048.620] FindClose (in: hFindFile=0x535b20 | out: hFindFile=0x535b20) returned 1 [0048.620] wnsprintfW (in: pszDest=0x542af8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 82 [0048.620] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\microsoft\\user account pictures\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x150 [0048.621] WriteFile (in: hFile=0x150, lpBuffer=0x186440*, nNumberOfBytesToWrite=0x2b0, lpNumberOfBytesWritten=0x2d8f03c, lpOverlapped=0x0 | out: lpBuffer=0x186440*, lpNumberOfBytesWritten=0x2d8f03c*=0x2b0, lpOverlapped=0x0) returned 1 [0048.622] CloseHandle (hObject=0x150) returned 1 [0048.622] GetProcessHeap () returned 0x4e0000 [0048.622] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x542af8 | out: hHeap=0x4e0000) returned 1 [0048.622] FindNextFileW (in: hFindFile=0x535ae0, lpFindFileData=0x2d8f2f8 | out: lpFindFileData=0x2d8f2f8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd9b5b52, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd9b5b52, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xc602eec6, ftLastWriteTime.dwHighDateTime=0x1ca042b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Vault", cAlternateFileName="")) returned 1 [0048.622] lstrcmpiW (lpString1="Vault", lpString2="Windows") returned -1 [0048.622] lstrcmpiW (lpString1="Vault", lpString2="$Recycle.bin") returned 1 [0048.622] lstrcmpiW (lpString1="Vault", lpString2="System Volume Information") returned 1 [0048.622] lstrcmpiW (lpString1="Vault", lpString2="Program Files") returned 1 [0048.622] lstrcmpiW (lpString1="Vault", lpString2="Program Files (x86)") returned 1 [0048.622] wnsprintfW (in: pszDest=0x511b40, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Vault") returned 34 [0048.623] lstrcmpW (lpString1="Vault", lpString2=".") returned 1 [0048.623] lstrcmpW (lpString1="Vault", lpString2="..") returned 1 [0048.623] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Vault", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0048.623] GetProcessHeap () returned 0x4e0000 [0048.623] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x400) returned 0x542af8 [0048.623] wnsprintfW (in: pszDest=0x542af8, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Vault\\*") returned 36 [0048.623] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Vault\\*", lpFindFileData=0x2d8f070 | out: lpFindFileData=0x2d8f070*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd9b5b52, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd9b5b52, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xc602eec6, ftLastWriteTime.dwHighDateTime=0x1ca042b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x535b20 [0048.623] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0048.623] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0048.623] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0048.623] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0048.623] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0048.623] wnsprintfW (in: pszDest=0x542af8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Vault\\.") returned 36 [0048.623] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0048.623] FindNextFileW (in: hFindFile=0x535b20, lpFindFileData=0x2d8f070 | out: lpFindFileData=0x2d8f070*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd9b5b52, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd9b5b52, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xc602eec6, ftLastWriteTime.dwHighDateTime=0x1ca042b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0048.623] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0048.623] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0048.623] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0048.623] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0048.623] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0048.623] wnsprintfW (in: pszDest=0x542af8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Vault\\..") returned 37 [0048.623] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0048.623] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0048.623] FindNextFileW (in: hFindFile=0x535b20, lpFindFileData=0x2d8f070 | out: lpFindFileData=0x2d8f070*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd9b5b52, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd9b5b52, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xc602eec6, ftLastWriteTime.dwHighDateTime=0x1ca042b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0 [0048.623] FindClose (in: hFindFile=0x535b20 | out: hFindFile=0x535b20) returned 1 [0048.623] wnsprintfW (in: pszDest=0x542af8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Vault\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 66 [0048.624] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Vault\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\microsoft\\vault\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x150 [0048.624] WriteFile (in: hFile=0x150, lpBuffer=0x186440*, nNumberOfBytesToWrite=0x2b0, lpNumberOfBytesWritten=0x2d8f03c, lpOverlapped=0x0 | out: lpBuffer=0x186440*, lpNumberOfBytesWritten=0x2d8f03c*=0x2b0, lpOverlapped=0x0) returned 1 [0048.626] CloseHandle (hObject=0x150) returned 1 [0048.626] GetProcessHeap () returned 0x4e0000 [0048.626] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x542af8 | out: hHeap=0x4e0000) returned 1 [0048.626] FindNextFileW (in: hFindFile=0x535ae0, lpFindFileData=0x2d8f2f8 | out: lpFindFileData=0x2d8f2f8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x80ac5760, ftCreationTime.dwHighDateTime=0x1d305eb, ftLastAccessTime.dwLowDateTime=0x80ac5760, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x80ac5760, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="VISIO", cAlternateFileName="")) returned 1 [0048.626] lstrcmpiW (lpString1="VISIO", lpString2="Windows") returned -1 [0048.626] lstrcmpiW (lpString1="VISIO", lpString2="$Recycle.bin") returned 1 [0048.626] lstrcmpiW (lpString1="VISIO", lpString2="System Volume Information") returned 1 [0048.626] lstrcmpiW (lpString1="VISIO", lpString2="Program Files") returned 1 [0048.626] lstrcmpiW (lpString1="VISIO", lpString2="Program Files (x86)") returned 1 [0048.626] wnsprintfW (in: pszDest=0x511b40, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\VISIO") returned 34 [0048.626] lstrcmpW (lpString1="VISIO", lpString2=".") returned 1 [0048.626] lstrcmpW (lpString1="VISIO", lpString2="..") returned 1 [0048.626] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\VISIO", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0048.626] GetProcessHeap () returned 0x4e0000 [0048.626] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x400) returned 0x542af8 [0048.626] wnsprintfW (in: pszDest=0x542af8, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\VISIO\\*") returned 36 [0048.626] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\VISIO\\*", lpFindFileData=0x2d8f070 | out: lpFindFileData=0x2d8f070*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x80ac5760, ftCreationTime.dwHighDateTime=0x1d305eb, ftLastAccessTime.dwLowDateTime=0x80ac5760, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x80ac5760, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x535b20 [0048.627] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0048.627] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0048.627] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0048.627] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0048.628] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0048.628] wnsprintfW (in: pszDest=0x542af8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\VISIO\\.") returned 36 [0048.628] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0048.628] FindNextFileW (in: hFindFile=0x535b20, lpFindFileData=0x2d8f070 | out: lpFindFileData=0x2d8f070*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x80ac5760, ftCreationTime.dwHighDateTime=0x1d305eb, ftLastAccessTime.dwLowDateTime=0x80ac5760, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x80ac5760, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0048.628] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0048.628] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0048.628] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0048.628] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0048.628] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0048.628] wnsprintfW (in: pszDest=0x542af8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\VISIO\\..") returned 37 [0048.628] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0048.628] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0048.628] FindNextFileW (in: hFindFile=0x535b20, lpFindFileData=0x2d8f070 | out: lpFindFileData=0x2d8f070*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x80ac5760, ftCreationTime.dwHighDateTime=0x1d305eb, ftLastAccessTime.dwLowDateTime=0x80ac5760, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x80ac5760, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0 [0048.628] FindClose (in: hFindFile=0x535b20 | out: hFindFile=0x535b20) returned 1 [0048.628] wnsprintfW (in: pszDest=0x542af8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\VISIO\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 66 [0048.628] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\VISIO\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\microsoft\\visio\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x150 [0048.628] WriteFile (in: hFile=0x150, lpBuffer=0x186440*, nNumberOfBytesToWrite=0x2b0, lpNumberOfBytesWritten=0x2d8f03c, lpOverlapped=0x0 | out: lpBuffer=0x186440*, lpNumberOfBytesWritten=0x2d8f03c*=0x2b0, lpOverlapped=0x0) returned 1 [0048.629] CloseHandle (hObject=0x150) returned 1 [0048.629] GetProcessHeap () returned 0x4e0000 [0048.629] HeapFree (in: hHeap=0x4e0000, dwFlags=0x8, lpMem=0x542af8 | out: hHeap=0x4e0000) returned 1 [0048.629] FindNextFileW (in: hFindFile=0x535ae0, lpFindFileData=0x2d8f2f8 | out: lpFindFileData=0x2d8f2f8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfd9b5b52, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x60ae73a0, ftLastAccessTime.dwHighDateTime=0x1d2de2a, ftLastWriteTime.dwLowDateTime=0x60ae73a0, ftLastWriteTime.dwHighDateTime=0x1d2de2a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Windows", cAlternateFileName="")) returned 1 [0048.629] lstrcmpiW (lpString1="Windows", lpString2="Windows") returned 0 [0048.629] FindNextFileW (in: hFindFile=0x535ae0, lpFindFileData=0x2d8f2f8 | out: lpFindFileData=0x2d8f2f8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x591e8ca0, ftLastAccessTime.dwHighDateTime=0x1d4d596, ftLastWriteTime.dwLowDateTime=0x591e8ca0, ftLastWriteTime.dwHighDateTime=0x1d4d596, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Windows Defender", cAlternateFileName="WINDOW~1")) returned 1 [0048.629] lstrcmpiW (lpString1="Windows Defender", lpString2="Windows") returned 1 [0048.629] lstrcmpiW (lpString1="Windows Defender", lpString2="$Recycle.bin") returned 1 [0048.629] lstrcmpiW (lpString1="Windows Defender", lpString2="System Volume Information") returned 1 [0048.629] lstrcmpiW (lpString1="Windows Defender", lpString2="Program Files") returned 1 [0048.629] lstrcmpiW (lpString1="Windows Defender", lpString2="Program Files (x86)") returned 1 [0048.630] wnsprintfW (in: pszDest=0x511b40, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender") returned 45 [0048.630] lstrcmpW (lpString1="Windows Defender", lpString2=".") returned 1 [0048.630] lstrcmpW (lpString1="Windows Defender", lpString2="..") returned 1 [0048.630] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned -1 [0048.630] GetProcessHeap () returned 0x4e0000 [0048.630] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x400) returned 0x542af8 [0048.630] wnsprintfW (in: pszDest=0x542af8, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\*") returned 47 [0048.630] FindFirstFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\*", lpFindFileData=0x2d8f070) Thread: id = 26 os_tid = 0x2b4 Process: id = "2" image_name = "vssadmin.exe" filename = "c:\\windows\\system32\\vssadmin.exe" page_root = "0x5164f000" os_pid = "0x314" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x794" cmd_line = "\"C:\\Windows\\sysnative\\vssadmin.exe\" delete shadows /all /quiet" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "64" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 5 os_tid = 0x114 Thread: id = 7 os_tid = 0x790 Thread: id = 8 os_tid = 0x7bc Thread: id = 9 os_tid = 0x15c Thread: id = 10 os_tid = 0x444 Process: id = "3" image_name = "vssvc.exe" filename = "c:\\windows\\system32\\vssvc.exe" page_root = "0x50067000" os_pid = "0x7b8" os_integrity_level = "0x4000" os_privileges = "0xe60b7e890" monitor_reason = "rpc_server" parent_id = "2" os_parent_pid = "0x314" cmd_line = "C:\\Windows\\system32\\vssvc.exe" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\SYSTEM" bitness = "64" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT SERVICE\\VSS" [0xe], "NT AUTHORITY\\Logon Session 00000000:0004f069" [0xc000000f], "LOCAL" [0x7], "BUILTIN\\Administrators" [0xe] Thread: id = 11 os_tid = 0x660 Thread: id = 12 os_tid = 0x408 Thread: id = 13 os_tid = 0x5f0 Thread: id = 14 os_tid = 0x6a8 [0029.746] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0xfed720 | out: lpSystemTimeAsFileTime=0xfed720*(dwLowDateTime=0x37797070, dwHighDateTime=0x1d593ef)) [0029.746] GetCurrentProcessId () returned 0x7b8 [0029.746] GetCurrentThreadId () returned 0x6a8 [0029.746] GetTickCount () returned 0x114208c [0029.746] QueryPerformanceCounter (in: lpPerformanceCount=0xfed728 | out: lpPerformanceCount=0xfed728*=14995279380) returned 1 [0029.747] malloc (_Size=0x100) returned 0x588e80 [0057.388] free (_Block=0x588e80) Thread: id = 15 os_tid = 0x4a4 Thread: id = 16 os_tid = 0x110 Thread: id = 17 os_tid = 0x5b8 Thread: id = 18 os_tid = 0x58c Thread: id = 25 os_tid = 0x30c Thread: id = 27 os_tid = 0x8cc Thread: id = 28 os_tid = 0x98c Process: id = "4" image_name = "svchost.exe" filename = "c:\\windows\\system32\\svchost.exe" page_root = "0x4e96c000" os_pid = "0x4f0" os_integrity_level = "0x4000" os_privileges = "0x60814080" monitor_reason = "rpc_server" parent_id = "3" os_parent_pid = "0x7b8" cmd_line = "C:\\Windows\\System32\\svchost.exe -k swprv" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\SYSTEM" bitness = "64" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT SERVICE\\swprv" [0xe], "NT AUTHORITY\\Logon Session 00000000:0004ff7c" [0xc000000f], "LOCAL" [0x7], "BUILTIN\\Administrators" [0xe] Thread: id = 19 os_tid = 0x738 Thread: id = 20 os_tid = 0x56c Thread: id = 21 os_tid = 0x664 Thread: id = 22 os_tid = 0x128 Thread: id = 23 os_tid = 0x6b4 Thread: id = 24 os_tid = 0x6f4 Thread: id = 29 os_tid = 0x990 Process: id = "5" image_name = "3prmmvyzl7l6ych05qf1abb2nvhrv3.exe" filename = "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\start menu\\programs\\startup\\3prmmvyzl7l6ych05qf1abb2nvhrv3.exe" page_root = "0x7ad31000" os_pid = "0x53c" os_integrity_level = "0x2000" os_privileges = "0x800000" monitor_reason = "autostart" parent_id = "0" os_parent_pid = "0x0" cmd_line = "\"C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\3pRMMVYZl7L6YCH05Qf1aBB2Nvhrv3.exe\" " cur_dir = "C:\\Windows\\system32\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0x10], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e5ad" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 30 os_tid = 0x540 [0076.488] LoadLibraryW (lpLibFileName="advapi32.dll") returned 0x75d30000 [0076.489] LoadLibraryW (lpLibFileName="mpr.dll") returned 0x72c80000 [0076.513] LoadLibraryW (lpLibFileName="shell32.dll") returned 0x74f20000 [0076.517] GetModuleHandleA (lpModuleName=0x0) returned 0x9b0000 [0076.517] FindResourceW (hModule=0x9b0000, lpName=0x7f, lpType=0xa) returned 0x9b8048 [0076.519] LoadResource (hModule=0x9b0000, hResInfo=0x9b8048) returned 0x9b8058 [0076.519] SizeofResource (hModule=0x9b0000, hResInfo=0x9b8048) returned 0x134a [0076.519] GetProcessHeap () returned 0x320000 [0076.519] RtlAllocateHeap (HeapHandle=0x320000, Flags=0x8, Size=0x134a) returned 0x33e710 [0076.520] GetUserDefaultLangID () returned 0x409 [0076.521] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x2cf788 | out: TokenHandle=0x2cf788*=0xa4) returned 1 [0076.521] GetTokenInformation (in: TokenHandle=0xa4, TokenInformationClass=0x14, TokenInformation=0x2cf780, TokenInformationLength=0x4, ReturnLength=0x2cf784 | out: TokenInformation=0x2cf780, ReturnLength=0x2cf784) returned 1 [0076.521] CloseHandle (hObject=0xa4) returned 1 [0076.521] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x2cf578, nSize=0x104 | out: lpFilename="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\3pRMMVYZl7L6YCH05Qf1aBB2Nvhrv3.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\start menu\\programs\\startup\\3prmmvyzl7l6ych05qf1abb2nvhrv3.exe")) returned 0x7e [0076.521] ShellExecuteW (hwnd=0x0, lpOperation="runas", lpFile="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\3pRMMVYZl7L6YCH05Qf1aBB2Nvhrv3.exe", lpParameters=0x0, lpDirectory=0x0, nShowCmd=1) returned 0x2a [0092.753] ExitProcess (uExitCode=0x0) Thread: id = 31 os_tid = 0x58c Thread: id = 32 os_tid = 0x594 Thread: id = 33 os_tid = 0x618 Process: id = "6" image_name = "3prmmvyzl7l6ych05qf1abb2nvhrv3.exe" filename = "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\start menu\\programs\\startup\\3prmmvyzl7l6ych05qf1abb2nvhrv3.exe" page_root = "0x6ea09000" os_pid = "0x788" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "5" os_parent_pid = "0x53c" cmd_line = "\"C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\3pRMMVYZl7L6YCH05Qf1aBB2Nvhrv3.exe\" " cur_dir = "C:\\Windows\\SysWOW64\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e5ad" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 34 os_tid = 0x7d4 [0092.790] LoadLibraryW (lpLibFileName="advapi32.dll") returned 0x75d30000 [0092.791] LoadLibraryW (lpLibFileName="mpr.dll") returned 0x72c80000 [0092.793] LoadLibraryW (lpLibFileName="shell32.dll") returned 0x74f20000 [0092.797] GetModuleHandleA (lpModuleName=0x0) returned 0x9b0000 [0092.797] FindResourceW (hModule=0x9b0000, lpName=0x7f, lpType=0xa) returned 0x9b8048 [0092.799] LoadResource (hModule=0x9b0000, hResInfo=0x9b8048) returned 0x9b8058 [0092.799] SizeofResource (hModule=0x9b0000, hResInfo=0x9b8048) returned 0x134a [0092.799] GetProcessHeap () returned 0x550000 [0092.799] RtlAllocateHeap (HeapHandle=0x550000, Flags=0x8, Size=0x134a) returned 0x56e6a0 [0092.799] GetUserDefaultLangID () returned 0x409 [0092.826] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x1df8dc | out: TokenHandle=0x1df8dc*=0xa4) returned 1 [0092.826] GetTokenInformation (in: TokenHandle=0xa4, TokenInformationClass=0x14, TokenInformation=0x1df8d4, TokenInformationLength=0x4, ReturnLength=0x1df8d8 | out: TokenInformation=0x1df8d4, ReturnLength=0x1df8d8) returned 1 [0092.826] CloseHandle (hObject=0xa4) returned 1 [0092.826] CryptAcquireContextW (in: phProv=0x1dfe40, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x1dfe40*=0x56fa38) returned 1 [0092.839] CryptGenKey (in: hProv=0x56fa38, Algid=0xa400, dwFlags=0x4000001, phKey=0x1df8d0 | out: phKey=0x1df8d0*=0x56f9f8) returned 1 [0092.941] GetProcessHeap () returned 0x550000 [0092.941] RtlAllocateHeap (HeapHandle=0x550000, Flags=0x8, Size=0x8) returned 0x574580 [0092.941] GetProcessHeap () returned 0x550000 [0092.941] RtlAllocateHeap (HeapHandle=0x550000, Flags=0x8, Size=0x400) returned 0x574590 [0092.941] CryptExportKey (in: hKey=0x56f9f8, hExpKey=0x0, dwBlobType=0x6, dwFlags=0x0, pbData=0x574590, pdwDataLen=0x1df8d8 | out: pbData=0x574590*, pdwDataLen=0x1df8d8*=0x94) returned 1 [0092.941] GetProcessHeap () returned 0x550000 [0092.941] RtlAllocateHeap (HeapHandle=0x550000, Flags=0x8, Size=0x94) returned 0x574998 [0092.941] CryptExportKey (in: hKey=0x56f9f8, hExpKey=0x0, dwBlobType=0x7, dwFlags=0x0, pbData=0x574590, pdwDataLen=0x1df8d8 | out: pbData=0x574590*, pdwDataLen=0x1df8d8*=0x254) returned 1 [0092.941] GetProcessHeap () returned 0x550000 [0092.941] RtlAllocateHeap (HeapHandle=0x550000, Flags=0x8, Size=0x254) returned 0x574a38 [0092.941] GetProcessHeap () returned 0x550000 [0092.941] HeapFree (in: hHeap=0x550000, dwFlags=0x8, lpMem=0x574590 | out: hHeap=0x550000) returned 0 [0092.941] CryptDestroyKey (hKey=0x56f9f8) returned 1 [0092.941] CryptImportKey (in: hProv=0x56fa38, pbData=0x574998, dwDataLen=0x94, hPubKey=0x0, dwFlags=0x0, phKey=0x9b601c | out: phKey=0x9b601c*=0x56f9f8) returned 1 [0092.941] GetProcessHeap () returned 0x550000 [0092.941] RtlAllocateHeap (HeapHandle=0x550000, Flags=0x8, Size=0x2800) returned 0x5702d0 [0092.941] CryptImportKey (in: hProv=0x56fa38, pbData=0x56e6a0, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x1dfe38 | out: phKey=0x1dfe38*=0x572ad8) returned 1 [0092.941] CryptEncrypt (in: hKey=0x572ad8, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x1dfd34*, pdwDataLen=0x1dfe3c*=0xf5, dwBufLen=0x100 | out: pbData=0x1dfd34*, pdwDataLen=0x1dfe3c*=0x100) returned 1 [0092.942] CryptEncrypt (in: hKey=0x572ad8, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x1dfd34*, pdwDataLen=0x1dfe3c*=0xf5, dwBufLen=0x100 | out: pbData=0x1dfd34*, pdwDataLen=0x1dfe3c*=0x100) returned 1 [0092.942] CryptEncrypt (in: hKey=0x572ad8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x1dfd34*, pdwDataLen=0x1dfe3c*=0x6a, dwBufLen=0x100 | out: pbData=0x1dfd34*, pdwDataLen=0x1dfe3c*=0x100) returned 1 [0092.942] CryptDestroyKey (hKey=0x572ad8) returned 1 [0092.942] GetProcessHeap () returned 0x550000 [0092.942] HeapFree (hHeap=0x550000, dwFlags=0x8, lpMem=0x574998)